Merge tag 'm68knommu-for-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg...
[platform/kernel/linux-starfive.git] / crypto / testmgr.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Algorithm testing framework and tests.
4  *
5  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
6  * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org>
7  * Copyright (c) 2007 Nokia Siemens Networks
8  * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
9  * Copyright (c) 2019 Google LLC
10  *
11  * Updated RFC4106 AES-GCM testing.
12  *    Authors: Aidan O'Mahony (aidan.o.mahony@intel.com)
13  *             Adrian Hoban <adrian.hoban@intel.com>
14  *             Gabriele Paoloni <gabriele.paoloni@intel.com>
15  *             Tadeusz Struk (tadeusz.struk@intel.com)
16  *    Copyright (c) 2010, Intel Corporation.
17  */
18
19 #include <crypto/aead.h>
20 #include <crypto/hash.h>
21 #include <crypto/skcipher.h>
22 #include <linux/err.h>
23 #include <linux/fips.h>
24 #include <linux/module.h>
25 #include <linux/once.h>
26 #include <linux/random.h>
27 #include <linux/scatterlist.h>
28 #include <linux/slab.h>
29 #include <linux/string.h>
30 #include <linux/uio.h>
31 #include <crypto/rng.h>
32 #include <crypto/drbg.h>
33 #include <crypto/akcipher.h>
34 #include <crypto/kpp.h>
35 #include <crypto/acompress.h>
36 #include <crypto/internal/cipher.h>
37 #include <crypto/internal/simd.h>
38
39 #include "internal.h"
40
41 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
42
43 static bool notests;
44 module_param(notests, bool, 0644);
45 MODULE_PARM_DESC(notests, "disable crypto self-tests");
46
47 static bool panic_on_fail;
48 module_param(panic_on_fail, bool, 0444);
49
50 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
51 static bool noextratests;
52 module_param(noextratests, bool, 0644);
53 MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");
54
55 static unsigned int fuzz_iterations = 100;
56 module_param(fuzz_iterations, uint, 0644);
57 MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
58 #endif
59
60 #ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
61
62 /* a perfect nop */
63 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
64 {
65         return 0;
66 }
67
68 #else
69
70 #include "testmgr.h"
71
72 /*
73  * Need slab memory for testing (size in number of pages).
74  */
75 #define XBUFSIZE        8
76
77 /*
78 * Used by test_cipher()
79 */
80 #define ENCRYPT 1
81 #define DECRYPT 0
82
83 struct aead_test_suite {
84         const struct aead_testvec *vecs;
85         unsigned int count;
86
87         /*
88          * Set if trying to decrypt an inauthentic ciphertext with this
89          * algorithm might result in EINVAL rather than EBADMSG, due to other
90          * validation the algorithm does on the inputs such as length checks.
91          */
92         unsigned int einval_allowed : 1;
93
94         /*
95          * Set if this algorithm requires that the IV be located at the end of
96          * the AAD buffer, in addition to being given in the normal way.  The
97          * behavior when the two IV copies differ is implementation-defined.
98          */
99         unsigned int aad_iv : 1;
100 };
101
102 struct cipher_test_suite {
103         const struct cipher_testvec *vecs;
104         unsigned int count;
105 };
106
107 struct comp_test_suite {
108         struct {
109                 const struct comp_testvec *vecs;
110                 unsigned int count;
111         } comp, decomp;
112 };
113
114 struct hash_test_suite {
115         const struct hash_testvec *vecs;
116         unsigned int count;
117 };
118
119 struct cprng_test_suite {
120         const struct cprng_testvec *vecs;
121         unsigned int count;
122 };
123
124 struct drbg_test_suite {
125         const struct drbg_testvec *vecs;
126         unsigned int count;
127 };
128
129 struct akcipher_test_suite {
130         const struct akcipher_testvec *vecs;
131         unsigned int count;
132 };
133
134 struct kpp_test_suite {
135         const struct kpp_testvec *vecs;
136         unsigned int count;
137 };
138
139 struct alg_test_desc {
140         const char *alg;
141         const char *generic_driver;
142         int (*test)(const struct alg_test_desc *desc, const char *driver,
143                     u32 type, u32 mask);
144         int fips_allowed;       /* set if alg is allowed in fips mode */
145
146         union {
147                 struct aead_test_suite aead;
148                 struct cipher_test_suite cipher;
149                 struct comp_test_suite comp;
150                 struct hash_test_suite hash;
151                 struct cprng_test_suite cprng;
152                 struct drbg_test_suite drbg;
153                 struct akcipher_test_suite akcipher;
154                 struct kpp_test_suite kpp;
155         } suite;
156 };
157
158 static void hexdump(unsigned char *buf, unsigned int len)
159 {
160         print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
161                         16, 1,
162                         buf, len, false);
163 }
164
165 static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order)
166 {
167         int i;
168
169         for (i = 0; i < XBUFSIZE; i++) {
170                 buf[i] = (char *)__get_free_pages(GFP_KERNEL, order);
171                 if (!buf[i])
172                         goto err_free_buf;
173         }
174
175         return 0;
176
177 err_free_buf:
178         while (i-- > 0)
179                 free_pages((unsigned long)buf[i], order);
180
181         return -ENOMEM;
182 }
183
184 static int testmgr_alloc_buf(char *buf[XBUFSIZE])
185 {
186         return __testmgr_alloc_buf(buf, 0);
187 }
188
189 static void __testmgr_free_buf(char *buf[XBUFSIZE], int order)
190 {
191         int i;
192
193         for (i = 0; i < XBUFSIZE; i++)
194                 free_pages((unsigned long)buf[i], order);
195 }
196
197 static void testmgr_free_buf(char *buf[XBUFSIZE])
198 {
199         __testmgr_free_buf(buf, 0);
200 }
201
202 #define TESTMGR_POISON_BYTE     0xfe
203 #define TESTMGR_POISON_LEN      16
204
205 static inline void testmgr_poison(void *addr, size_t len)
206 {
207         memset(addr, TESTMGR_POISON_BYTE, len);
208 }
209
210 /* Is the memory region still fully poisoned? */
211 static inline bool testmgr_is_poison(const void *addr, size_t len)
212 {
213         return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL;
214 }
215
216 /* flush type for hash algorithms */
217 enum flush_type {
218         /* merge with update of previous buffer(s) */
219         FLUSH_TYPE_NONE = 0,
220
221         /* update with previous buffer(s) before doing this one */
222         FLUSH_TYPE_FLUSH,
223
224         /* likewise, but also export and re-import the intermediate state */
225         FLUSH_TYPE_REIMPORT,
226 };
227
228 /* finalization function for hash algorithms */
229 enum finalization_type {
230         FINALIZATION_TYPE_FINAL,        /* use final() */
231         FINALIZATION_TYPE_FINUP,        /* use finup() */
232         FINALIZATION_TYPE_DIGEST,       /* use digest() */
233 };
234
235 /*
236  * Whether the crypto operation will occur in-place, and if so whether the
237  * source and destination scatterlist pointers will coincide (req->src ==
238  * req->dst), or whether they'll merely point to two separate scatterlists
239  * (req->src != req->dst) that reference the same underlying memory.
240  *
241  * This is only relevant for algorithm types that support in-place operation.
242  */
243 enum inplace_mode {
244         OUT_OF_PLACE,
245         INPLACE_ONE_SGLIST,
246         INPLACE_TWO_SGLISTS,
247 };
248
249 #define TEST_SG_TOTAL   10000
250
251 /**
252  * struct test_sg_division - description of a scatterlist entry
253  *
254  * This struct describes one entry of a scatterlist being constructed to check a
255  * crypto test vector.
256  *
257  * @proportion_of_total: length of this chunk relative to the total length,
258  *                       given as a proportion out of TEST_SG_TOTAL so that it
259  *                       scales to fit any test vector
260  * @offset: byte offset into a 2-page buffer at which this chunk will start
261  * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the
262  *                                @offset
263  * @flush_type: for hashes, whether an update() should be done now vs.
264  *              continuing to accumulate data
265  * @nosimd: if doing the pending update(), do it with SIMD disabled?
266  */
267 struct test_sg_division {
268         unsigned int proportion_of_total;
269         unsigned int offset;
270         bool offset_relative_to_alignmask;
271         enum flush_type flush_type;
272         bool nosimd;
273 };
274
275 /**
276  * struct testvec_config - configuration for testing a crypto test vector
277  *
278  * This struct describes the data layout and other parameters with which each
279  * crypto test vector can be tested.
280  *
281  * @name: name of this config, logged for debugging purposes if a test fails
282  * @inplace_mode: whether and how to operate on the data in-place, if applicable
283  * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP
284  * @src_divs: description of how to arrange the source scatterlist
285  * @dst_divs: description of how to arrange the dst scatterlist, if applicable
286  *            for the algorithm type.  Defaults to @src_divs if unset.
287  * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1],
288  *             where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary
289  * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
290  *                                   the @iv_offset
291  * @key_offset: misalignment of the key, where 0 is default alignment
292  * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
293  *                                    the @key_offset
294  * @finalization_type: what finalization function to use for hashes
295  * @nosimd: execute with SIMD disabled?  Requires !CRYPTO_TFM_REQ_MAY_SLEEP.
296  */
297 struct testvec_config {
298         const char *name;
299         enum inplace_mode inplace_mode;
300         u32 req_flags;
301         struct test_sg_division src_divs[XBUFSIZE];
302         struct test_sg_division dst_divs[XBUFSIZE];
303         unsigned int iv_offset;
304         unsigned int key_offset;
305         bool iv_offset_relative_to_alignmask;
306         bool key_offset_relative_to_alignmask;
307         enum finalization_type finalization_type;
308         bool nosimd;
309 };
310
311 #define TESTVEC_CONFIG_NAMELEN  192
312
313 /*
314  * The following are the lists of testvec_configs to test for each algorithm
315  * type when the basic crypto self-tests are enabled, i.e. when
316  * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset.  They aim to provide good test
317  * coverage, while keeping the test time much shorter than the full fuzz tests
318  * so that the basic tests can be enabled in a wider range of circumstances.
319  */
320
321 /* Configs for skciphers and aeads */
322 static const struct testvec_config default_cipher_testvec_configs[] = {
323         {
324                 .name = "in-place (one sglist)",
325                 .inplace_mode = INPLACE_ONE_SGLIST,
326                 .src_divs = { { .proportion_of_total = 10000 } },
327         }, {
328                 .name = "in-place (two sglists)",
329                 .inplace_mode = INPLACE_TWO_SGLISTS,
330                 .src_divs = { { .proportion_of_total = 10000 } },
331         }, {
332                 .name = "out-of-place",
333                 .inplace_mode = OUT_OF_PLACE,
334                 .src_divs = { { .proportion_of_total = 10000 } },
335         }, {
336                 .name = "unaligned buffer, offset=1",
337                 .src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
338                 .iv_offset = 1,
339                 .key_offset = 1,
340         }, {
341                 .name = "buffer aligned only to alignmask",
342                 .src_divs = {
343                         {
344                                 .proportion_of_total = 10000,
345                                 .offset = 1,
346                                 .offset_relative_to_alignmask = true,
347                         },
348                 },
349                 .iv_offset = 1,
350                 .iv_offset_relative_to_alignmask = true,
351                 .key_offset = 1,
352                 .key_offset_relative_to_alignmask = true,
353         }, {
354                 .name = "two even aligned splits",
355                 .src_divs = {
356                         { .proportion_of_total = 5000 },
357                         { .proportion_of_total = 5000 },
358                 },
359         }, {
360                 .name = "uneven misaligned splits, may sleep",
361                 .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
362                 .src_divs = {
363                         { .proportion_of_total = 1900, .offset = 33 },
364                         { .proportion_of_total = 3300, .offset = 7  },
365                         { .proportion_of_total = 4800, .offset = 18 },
366                 },
367                 .iv_offset = 3,
368                 .key_offset = 3,
369         }, {
370                 .name = "misaligned splits crossing pages, inplace",
371                 .inplace_mode = INPLACE_ONE_SGLIST,
372                 .src_divs = {
373                         {
374                                 .proportion_of_total = 7500,
375                                 .offset = PAGE_SIZE - 32
376                         }, {
377                                 .proportion_of_total = 2500,
378                                 .offset = PAGE_SIZE - 7
379                         },
380                 },
381         }
382 };
383
384 static const struct testvec_config default_hash_testvec_configs[] = {
385         {
386                 .name = "init+update+final aligned buffer",
387                 .src_divs = { { .proportion_of_total = 10000 } },
388                 .finalization_type = FINALIZATION_TYPE_FINAL,
389         }, {
390                 .name = "init+finup aligned buffer",
391                 .src_divs = { { .proportion_of_total = 10000 } },
392                 .finalization_type = FINALIZATION_TYPE_FINUP,
393         }, {
394                 .name = "digest aligned buffer",
395                 .src_divs = { { .proportion_of_total = 10000 } },
396                 .finalization_type = FINALIZATION_TYPE_DIGEST,
397         }, {
398                 .name = "init+update+final misaligned buffer",
399                 .src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
400                 .finalization_type = FINALIZATION_TYPE_FINAL,
401                 .key_offset = 1,
402         }, {
403                 .name = "digest buffer aligned only to alignmask",
404                 .src_divs = {
405                         {
406                                 .proportion_of_total = 10000,
407                                 .offset = 1,
408                                 .offset_relative_to_alignmask = true,
409                         },
410                 },
411                 .finalization_type = FINALIZATION_TYPE_DIGEST,
412                 .key_offset = 1,
413                 .key_offset_relative_to_alignmask = true,
414         }, {
415                 .name = "init+update+update+final two even splits",
416                 .src_divs = {
417                         { .proportion_of_total = 5000 },
418                         {
419                                 .proportion_of_total = 5000,
420                                 .flush_type = FLUSH_TYPE_FLUSH,
421                         },
422                 },
423                 .finalization_type = FINALIZATION_TYPE_FINAL,
424         }, {
425                 .name = "digest uneven misaligned splits, may sleep",
426                 .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
427                 .src_divs = {
428                         { .proportion_of_total = 1900, .offset = 33 },
429                         { .proportion_of_total = 3300, .offset = 7  },
430                         { .proportion_of_total = 4800, .offset = 18 },
431                 },
432                 .finalization_type = FINALIZATION_TYPE_DIGEST,
433         }, {
434                 .name = "digest misaligned splits crossing pages",
435                 .src_divs = {
436                         {
437                                 .proportion_of_total = 7500,
438                                 .offset = PAGE_SIZE - 32,
439                         }, {
440                                 .proportion_of_total = 2500,
441                                 .offset = PAGE_SIZE - 7,
442                         },
443                 },
444                 .finalization_type = FINALIZATION_TYPE_DIGEST,
445         }, {
446                 .name = "import/export",
447                 .src_divs = {
448                         {
449                                 .proportion_of_total = 6500,
450                                 .flush_type = FLUSH_TYPE_REIMPORT,
451                         }, {
452                                 .proportion_of_total = 3500,
453                                 .flush_type = FLUSH_TYPE_REIMPORT,
454                         },
455                 },
456                 .finalization_type = FINALIZATION_TYPE_FINAL,
457         }
458 };
459
460 static unsigned int count_test_sg_divisions(const struct test_sg_division *divs)
461 {
462         unsigned int remaining = TEST_SG_TOTAL;
463         unsigned int ndivs = 0;
464
465         do {
466                 remaining -= divs[ndivs++].proportion_of_total;
467         } while (remaining);
468
469         return ndivs;
470 }
471
472 #define SGDIVS_HAVE_FLUSHES     BIT(0)
473 #define SGDIVS_HAVE_NOSIMD      BIT(1)
474
475 static bool valid_sg_divisions(const struct test_sg_division *divs,
476                                unsigned int count, int *flags_ret)
477 {
478         unsigned int total = 0;
479         unsigned int i;
480
481         for (i = 0; i < count && total != TEST_SG_TOTAL; i++) {
482                 if (divs[i].proportion_of_total <= 0 ||
483                     divs[i].proportion_of_total > TEST_SG_TOTAL - total)
484                         return false;
485                 total += divs[i].proportion_of_total;
486                 if (divs[i].flush_type != FLUSH_TYPE_NONE)
487                         *flags_ret |= SGDIVS_HAVE_FLUSHES;
488                 if (divs[i].nosimd)
489                         *flags_ret |= SGDIVS_HAVE_NOSIMD;
490         }
491         return total == TEST_SG_TOTAL &&
492                 memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL;
493 }
494
495 /*
496  * Check whether the given testvec_config is valid.  This isn't strictly needed
497  * since every testvec_config should be valid, but check anyway so that people
498  * don't unknowingly add broken configs that don't do what they wanted.
499  */
500 static bool valid_testvec_config(const struct testvec_config *cfg)
501 {
502         int flags = 0;
503
504         if (cfg->name == NULL)
505                 return false;
506
507         if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs),
508                                 &flags))
509                 return false;
510
511         if (cfg->dst_divs[0].proportion_of_total) {
512                 if (!valid_sg_divisions(cfg->dst_divs,
513                                         ARRAY_SIZE(cfg->dst_divs), &flags))
514                         return false;
515         } else {
516                 if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs)))
517                         return false;
518                 /* defaults to dst_divs=src_divs */
519         }
520
521         if (cfg->iv_offset +
522             (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) >
523             MAX_ALGAPI_ALIGNMASK + 1)
524                 return false;
525
526         if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) &&
527             cfg->finalization_type == FINALIZATION_TYPE_DIGEST)
528                 return false;
529
530         if ((cfg->nosimd || (flags & SGDIVS_HAVE_NOSIMD)) &&
531             (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP))
532                 return false;
533
534         return true;
535 }
536
537 struct test_sglist {
538         char *bufs[XBUFSIZE];
539         struct scatterlist sgl[XBUFSIZE];
540         struct scatterlist sgl_saved[XBUFSIZE];
541         struct scatterlist *sgl_ptr;
542         unsigned int nents;
543 };
544
545 static int init_test_sglist(struct test_sglist *tsgl)
546 {
547         return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */);
548 }
549
550 static void destroy_test_sglist(struct test_sglist *tsgl)
551 {
552         return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */);
553 }
554
555 /**
556  * build_test_sglist() - build a scatterlist for a crypto test
557  *
558  * @tsgl: the scatterlist to build.  @tsgl->bufs[] contains an array of 2-page
559  *        buffers which the scatterlist @tsgl->sgl[] will be made to point into.
560  * @divs: the layout specification on which the scatterlist will be based
561  * @alignmask: the algorithm's alignmask
562  * @total_len: the total length of the scatterlist to build in bytes
563  * @data: if non-NULL, the buffers will be filled with this data until it ends.
564  *        Otherwise the buffers will be poisoned.  In both cases, some bytes
565  *        past the end of each buffer will be poisoned to help detect overruns.
566  * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry
567  *            corresponds will be returned here.  This will match @divs except
568  *            that divisions resolving to a length of 0 are omitted as they are
569  *            not included in the scatterlist.
570  *
571  * Return: 0 or a -errno value
572  */
573 static int build_test_sglist(struct test_sglist *tsgl,
574                              const struct test_sg_division *divs,
575                              const unsigned int alignmask,
576                              const unsigned int total_len,
577                              struct iov_iter *data,
578                              const struct test_sg_division *out_divs[XBUFSIZE])
579 {
580         struct {
581                 const struct test_sg_division *div;
582                 size_t length;
583         } partitions[XBUFSIZE];
584         const unsigned int ndivs = count_test_sg_divisions(divs);
585         unsigned int len_remaining = total_len;
586         unsigned int i;
587
588         BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl));
589         if (WARN_ON(ndivs > ARRAY_SIZE(partitions)))
590                 return -EINVAL;
591
592         /* Calculate the (div, length) pairs */
593         tsgl->nents = 0;
594         for (i = 0; i < ndivs; i++) {
595                 unsigned int len_this_sg =
596                         min(len_remaining,
597                             (total_len * divs[i].proportion_of_total +
598                              TEST_SG_TOTAL / 2) / TEST_SG_TOTAL);
599
600                 if (len_this_sg != 0) {
601                         partitions[tsgl->nents].div = &divs[i];
602                         partitions[tsgl->nents].length = len_this_sg;
603                         tsgl->nents++;
604                         len_remaining -= len_this_sg;
605                 }
606         }
607         if (tsgl->nents == 0) {
608                 partitions[tsgl->nents].div = &divs[0];
609                 partitions[tsgl->nents].length = 0;
610                 tsgl->nents++;
611         }
612         partitions[tsgl->nents - 1].length += len_remaining;
613
614         /* Set up the sgl entries and fill the data or poison */
615         sg_init_table(tsgl->sgl, tsgl->nents);
616         for (i = 0; i < tsgl->nents; i++) {
617                 unsigned int offset = partitions[i].div->offset;
618                 void *addr;
619
620                 if (partitions[i].div->offset_relative_to_alignmask)
621                         offset += alignmask;
622
623                 while (offset + partitions[i].length + TESTMGR_POISON_LEN >
624                        2 * PAGE_SIZE) {
625                         if (WARN_ON(offset <= 0))
626                                 return -EINVAL;
627                         offset /= 2;
628                 }
629
630                 addr = &tsgl->bufs[i][offset];
631                 sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length);
632
633                 if (out_divs)
634                         out_divs[i] = partitions[i].div;
635
636                 if (data) {
637                         size_t copy_len, copied;
638
639                         copy_len = min(partitions[i].length, data->count);
640                         copied = copy_from_iter(addr, copy_len, data);
641                         if (WARN_ON(copied != copy_len))
642                                 return -EINVAL;
643                         testmgr_poison(addr + copy_len, partitions[i].length +
644                                        TESTMGR_POISON_LEN - copy_len);
645                 } else {
646                         testmgr_poison(addr, partitions[i].length +
647                                        TESTMGR_POISON_LEN);
648                 }
649         }
650
651         sg_mark_end(&tsgl->sgl[tsgl->nents - 1]);
652         tsgl->sgl_ptr = tsgl->sgl;
653         memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0]));
654         return 0;
655 }
656
657 /*
658  * Verify that a scatterlist crypto operation produced the correct output.
659  *
660  * @tsgl: scatterlist containing the actual output
661  * @expected_output: buffer containing the expected output
662  * @len_to_check: length of @expected_output in bytes
663  * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result
664  * @check_poison: verify that the poison bytes after each chunk are intact?
665  *
666  * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun.
667  */
668 static int verify_correct_output(const struct test_sglist *tsgl,
669                                  const char *expected_output,
670                                  unsigned int len_to_check,
671                                  unsigned int unchecked_prefix_len,
672                                  bool check_poison)
673 {
674         unsigned int i;
675
676         for (i = 0; i < tsgl->nents; i++) {
677                 struct scatterlist *sg = &tsgl->sgl_ptr[i];
678                 unsigned int len = sg->length;
679                 unsigned int offset = sg->offset;
680                 const char *actual_output;
681
682                 if (unchecked_prefix_len) {
683                         if (unchecked_prefix_len >= len) {
684                                 unchecked_prefix_len -= len;
685                                 continue;
686                         }
687                         offset += unchecked_prefix_len;
688                         len -= unchecked_prefix_len;
689                         unchecked_prefix_len = 0;
690                 }
691                 len = min(len, len_to_check);
692                 actual_output = page_address(sg_page(sg)) + offset;
693                 if (memcmp(expected_output, actual_output, len) != 0)
694                         return -EINVAL;
695                 if (check_poison &&
696                     !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN))
697                         return -EOVERFLOW;
698                 len_to_check -= len;
699                 expected_output += len;
700         }
701         if (WARN_ON(len_to_check != 0))
702                 return -EINVAL;
703         return 0;
704 }
705
706 static bool is_test_sglist_corrupted(const struct test_sglist *tsgl)
707 {
708         unsigned int i;
709
710         for (i = 0; i < tsgl->nents; i++) {
711                 if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link)
712                         return true;
713                 if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset)
714                         return true;
715                 if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length)
716                         return true;
717         }
718         return false;
719 }
720
721 struct cipher_test_sglists {
722         struct test_sglist src;
723         struct test_sglist dst;
724 };
725
726 static struct cipher_test_sglists *alloc_cipher_test_sglists(void)
727 {
728         struct cipher_test_sglists *tsgls;
729
730         tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL);
731         if (!tsgls)
732                 return NULL;
733
734         if (init_test_sglist(&tsgls->src) != 0)
735                 goto fail_kfree;
736         if (init_test_sglist(&tsgls->dst) != 0)
737                 goto fail_destroy_src;
738
739         return tsgls;
740
741 fail_destroy_src:
742         destroy_test_sglist(&tsgls->src);
743 fail_kfree:
744         kfree(tsgls);
745         return NULL;
746 }
747
748 static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls)
749 {
750         if (tsgls) {
751                 destroy_test_sglist(&tsgls->src);
752                 destroy_test_sglist(&tsgls->dst);
753                 kfree(tsgls);
754         }
755 }
756
757 /* Build the src and dst scatterlists for an skcipher or AEAD test */
758 static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls,
759                                      const struct testvec_config *cfg,
760                                      unsigned int alignmask,
761                                      unsigned int src_total_len,
762                                      unsigned int dst_total_len,
763                                      const struct kvec *inputs,
764                                      unsigned int nr_inputs)
765 {
766         struct iov_iter input;
767         int err;
768
769         iov_iter_kvec(&input, WRITE, inputs, nr_inputs, src_total_len);
770         err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
771                                 cfg->inplace_mode != OUT_OF_PLACE ?
772                                         max(dst_total_len, src_total_len) :
773                                         src_total_len,
774                                 &input, NULL);
775         if (err)
776                 return err;
777
778         /*
779          * In-place crypto operations can use the same scatterlist for both the
780          * source and destination (req->src == req->dst), or can use separate
781          * scatterlists (req->src != req->dst) which point to the same
782          * underlying memory.  Make sure to test both cases.
783          */
784         if (cfg->inplace_mode == INPLACE_ONE_SGLIST) {
785                 tsgls->dst.sgl_ptr = tsgls->src.sgl;
786                 tsgls->dst.nents = tsgls->src.nents;
787                 return 0;
788         }
789         if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) {
790                 /*
791                  * For now we keep it simple and only test the case where the
792                  * two scatterlists have identical entries, rather than
793                  * different entries that split up the same memory differently.
794                  */
795                 memcpy(tsgls->dst.sgl, tsgls->src.sgl,
796                        tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
797                 memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl,
798                        tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
799                 tsgls->dst.sgl_ptr = tsgls->dst.sgl;
800                 tsgls->dst.nents = tsgls->src.nents;
801                 return 0;
802         }
803         /* Out of place */
804         return build_test_sglist(&tsgls->dst,
805                                  cfg->dst_divs[0].proportion_of_total ?
806                                         cfg->dst_divs : cfg->src_divs,
807                                  alignmask, dst_total_len, NULL, NULL);
808 }
809
810 /*
811  * Support for testing passing a misaligned key to setkey():
812  *
813  * If cfg->key_offset is set, copy the key into a new buffer at that offset,
814  * optionally adding alignmask.  Else, just use the key directly.
815  */
816 static int prepare_keybuf(const u8 *key, unsigned int ksize,
817                           const struct testvec_config *cfg,
818                           unsigned int alignmask,
819                           const u8 **keybuf_ret, const u8 **keyptr_ret)
820 {
821         unsigned int key_offset = cfg->key_offset;
822         u8 *keybuf = NULL, *keyptr = (u8 *)key;
823
824         if (key_offset != 0) {
825                 if (cfg->key_offset_relative_to_alignmask)
826                         key_offset += alignmask;
827                 keybuf = kmalloc(key_offset + ksize, GFP_KERNEL);
828                 if (!keybuf)
829                         return -ENOMEM;
830                 keyptr = keybuf + key_offset;
831                 memcpy(keyptr, key, ksize);
832         }
833         *keybuf_ret = keybuf;
834         *keyptr_ret = keyptr;
835         return 0;
836 }
837
838 /* Like setkey_f(tfm, key, ksize), but sometimes misalign the key */
839 #define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask)            \
840 ({                                                                      \
841         const u8 *keybuf, *keyptr;                                      \
842         int err;                                                        \
843                                                                         \
844         err = prepare_keybuf((key), (ksize), (cfg), (alignmask),        \
845                              &keybuf, &keyptr);                         \
846         if (err == 0) {                                                 \
847                 err = setkey_f((tfm), keyptr, (ksize));                 \
848                 kfree(keybuf);                                          \
849         }                                                               \
850         err;                                                            \
851 })
852
853 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
854
855 /* Generate a random length in range [0, max_len], but prefer smaller values */
856 static unsigned int generate_random_length(unsigned int max_len)
857 {
858         unsigned int len = prandom_u32() % (max_len + 1);
859
860         switch (prandom_u32() % 4) {
861         case 0:
862                 return len % 64;
863         case 1:
864                 return len % 256;
865         case 2:
866                 return len % 1024;
867         default:
868                 return len;
869         }
870 }
871
872 /* Flip a random bit in the given nonempty data buffer */
873 static void flip_random_bit(u8 *buf, size_t size)
874 {
875         size_t bitpos;
876
877         bitpos = prandom_u32() % (size * 8);
878         buf[bitpos / 8] ^= 1 << (bitpos % 8);
879 }
880
881 /* Flip a random byte in the given nonempty data buffer */
882 static void flip_random_byte(u8 *buf, size_t size)
883 {
884         buf[prandom_u32() % size] ^= 0xff;
885 }
886
887 /* Sometimes make some random changes to the given nonempty data buffer */
888 static void mutate_buffer(u8 *buf, size_t size)
889 {
890         size_t num_flips;
891         size_t i;
892
893         /* Sometimes flip some bits */
894         if (prandom_u32() % 4 == 0) {
895                 num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size * 8);
896                 for (i = 0; i < num_flips; i++)
897                         flip_random_bit(buf, size);
898         }
899
900         /* Sometimes flip some bytes */
901         if (prandom_u32() % 4 == 0) {
902                 num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size);
903                 for (i = 0; i < num_flips; i++)
904                         flip_random_byte(buf, size);
905         }
906 }
907
908 /* Randomly generate 'count' bytes, but sometimes make them "interesting" */
909 static void generate_random_bytes(u8 *buf, size_t count)
910 {
911         u8 b;
912         u8 increment;
913         size_t i;
914
915         if (count == 0)
916                 return;
917
918         switch (prandom_u32() % 8) { /* Choose a generation strategy */
919         case 0:
920         case 1:
921                 /* All the same byte, plus optional mutations */
922                 switch (prandom_u32() % 4) {
923                 case 0:
924                         b = 0x00;
925                         break;
926                 case 1:
927                         b = 0xff;
928                         break;
929                 default:
930                         b = (u8)prandom_u32();
931                         break;
932                 }
933                 memset(buf, b, count);
934                 mutate_buffer(buf, count);
935                 break;
936         case 2:
937                 /* Ascending or descending bytes, plus optional mutations */
938                 increment = (u8)prandom_u32();
939                 b = (u8)prandom_u32();
940                 for (i = 0; i < count; i++, b += increment)
941                         buf[i] = b;
942                 mutate_buffer(buf, count);
943                 break;
944         default:
945                 /* Fully random bytes */
946                 for (i = 0; i < count; i++)
947                         buf[i] = (u8)prandom_u32();
948         }
949 }
950
951 static char *generate_random_sgl_divisions(struct test_sg_division *divs,
952                                            size_t max_divs, char *p, char *end,
953                                            bool gen_flushes, u32 req_flags)
954 {
955         struct test_sg_division *div = divs;
956         unsigned int remaining = TEST_SG_TOTAL;
957
958         do {
959                 unsigned int this_len;
960                 const char *flushtype_str;
961
962                 if (div == &divs[max_divs - 1] || prandom_u32() % 2 == 0)
963                         this_len = remaining;
964                 else
965                         this_len = 1 + (prandom_u32() % remaining);
966                 div->proportion_of_total = this_len;
967
968                 if (prandom_u32() % 4 == 0)
969                         div->offset = (PAGE_SIZE - 128) + (prandom_u32() % 128);
970                 else if (prandom_u32() % 2 == 0)
971                         div->offset = prandom_u32() % 32;
972                 else
973                         div->offset = prandom_u32() % PAGE_SIZE;
974                 if (prandom_u32() % 8 == 0)
975                         div->offset_relative_to_alignmask = true;
976
977                 div->flush_type = FLUSH_TYPE_NONE;
978                 if (gen_flushes) {
979                         switch (prandom_u32() % 4) {
980                         case 0:
981                                 div->flush_type = FLUSH_TYPE_REIMPORT;
982                                 break;
983                         case 1:
984                                 div->flush_type = FLUSH_TYPE_FLUSH;
985                                 break;
986                         }
987                 }
988
989                 if (div->flush_type != FLUSH_TYPE_NONE &&
990                     !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
991                     prandom_u32() % 2 == 0)
992                         div->nosimd = true;
993
994                 switch (div->flush_type) {
995                 case FLUSH_TYPE_FLUSH:
996                         if (div->nosimd)
997                                 flushtype_str = "<flush,nosimd>";
998                         else
999                                 flushtype_str = "<flush>";
1000                         break;
1001                 case FLUSH_TYPE_REIMPORT:
1002                         if (div->nosimd)
1003                                 flushtype_str = "<reimport,nosimd>";
1004                         else
1005                                 flushtype_str = "<reimport>";
1006                         break;
1007                 default:
1008                         flushtype_str = "";
1009                         break;
1010                 }
1011
1012                 BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */
1013                 p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s", flushtype_str,
1014                                this_len / 100, this_len % 100,
1015                                div->offset_relative_to_alignmask ?
1016                                         "alignmask" : "",
1017                                div->offset, this_len == remaining ? "" : ", ");
1018                 remaining -= this_len;
1019                 div++;
1020         } while (remaining);
1021
1022         return p;
1023 }
1024
1025 /* Generate a random testvec_config for fuzz testing */
1026 static void generate_random_testvec_config(struct testvec_config *cfg,
1027                                            char *name, size_t max_namelen)
1028 {
1029         char *p = name;
1030         char * const end = name + max_namelen;
1031
1032         memset(cfg, 0, sizeof(*cfg));
1033
1034         cfg->name = name;
1035
1036         p += scnprintf(p, end - p, "random:");
1037
1038         switch (prandom_u32() % 4) {
1039         case 0:
1040         case 1:
1041                 cfg->inplace_mode = OUT_OF_PLACE;
1042                 break;
1043         case 2:
1044                 cfg->inplace_mode = INPLACE_ONE_SGLIST;
1045                 p += scnprintf(p, end - p, " inplace_one_sglist");
1046                 break;
1047         default:
1048                 cfg->inplace_mode = INPLACE_TWO_SGLISTS;
1049                 p += scnprintf(p, end - p, " inplace_two_sglists");
1050                 break;
1051         }
1052
1053         if (prandom_u32() % 2 == 0) {
1054                 cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP;
1055                 p += scnprintf(p, end - p, " may_sleep");
1056         }
1057
1058         switch (prandom_u32() % 4) {
1059         case 0:
1060                 cfg->finalization_type = FINALIZATION_TYPE_FINAL;
1061                 p += scnprintf(p, end - p, " use_final");
1062                 break;
1063         case 1:
1064                 cfg->finalization_type = FINALIZATION_TYPE_FINUP;
1065                 p += scnprintf(p, end - p, " use_finup");
1066                 break;
1067         default:
1068                 cfg->finalization_type = FINALIZATION_TYPE_DIGEST;
1069                 p += scnprintf(p, end - p, " use_digest");
1070                 break;
1071         }
1072
1073         if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
1074             prandom_u32() % 2 == 0) {
1075                 cfg->nosimd = true;
1076                 p += scnprintf(p, end - p, " nosimd");
1077         }
1078
1079         p += scnprintf(p, end - p, " src_divs=[");
1080         p = generate_random_sgl_divisions(cfg->src_divs,
1081                                           ARRAY_SIZE(cfg->src_divs), p, end,
1082                                           (cfg->finalization_type !=
1083                                            FINALIZATION_TYPE_DIGEST),
1084                                           cfg->req_flags);
1085         p += scnprintf(p, end - p, "]");
1086
1087         if (cfg->inplace_mode == OUT_OF_PLACE && prandom_u32() % 2 == 0) {
1088                 p += scnprintf(p, end - p, " dst_divs=[");
1089                 p = generate_random_sgl_divisions(cfg->dst_divs,
1090                                                   ARRAY_SIZE(cfg->dst_divs),
1091                                                   p, end, false,
1092                                                   cfg->req_flags);
1093                 p += scnprintf(p, end - p, "]");
1094         }
1095
1096         if (prandom_u32() % 2 == 0) {
1097                 cfg->iv_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
1098                 p += scnprintf(p, end - p, " iv_offset=%u", cfg->iv_offset);
1099         }
1100
1101         if (prandom_u32() % 2 == 0) {
1102                 cfg->key_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
1103                 p += scnprintf(p, end - p, " key_offset=%u", cfg->key_offset);
1104         }
1105
1106         WARN_ON_ONCE(!valid_testvec_config(cfg));
1107 }
1108
1109 static void crypto_disable_simd_for_test(void)
1110 {
1111         migrate_disable();
1112         __this_cpu_write(crypto_simd_disabled_for_test, true);
1113 }
1114
1115 static void crypto_reenable_simd_for_test(void)
1116 {
1117         __this_cpu_write(crypto_simd_disabled_for_test, false);
1118         migrate_enable();
1119 }
1120
1121 /*
1122  * Given an algorithm name, build the name of the generic implementation of that
1123  * algorithm, assuming the usual naming convention.  Specifically, this appends
1124  * "-generic" to every part of the name that is not a template name.  Examples:
1125  *
1126  *      aes => aes-generic
1127  *      cbc(aes) => cbc(aes-generic)
1128  *      cts(cbc(aes)) => cts(cbc(aes-generic))
1129  *      rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic)
1130  *
1131  * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long
1132  */
1133 static int build_generic_driver_name(const char *algname,
1134                                      char driver_name[CRYPTO_MAX_ALG_NAME])
1135 {
1136         const char *in = algname;
1137         char *out = driver_name;
1138         size_t len = strlen(algname);
1139
1140         if (len >= CRYPTO_MAX_ALG_NAME)
1141                 goto too_long;
1142         do {
1143                 const char *in_saved = in;
1144
1145                 while (*in && *in != '(' && *in != ')' && *in != ',')
1146                         *out++ = *in++;
1147                 if (*in != '(' && in > in_saved) {
1148                         len += 8;
1149                         if (len >= CRYPTO_MAX_ALG_NAME)
1150                                 goto too_long;
1151                         memcpy(out, "-generic", 8);
1152                         out += 8;
1153                 }
1154         } while ((*out++ = *in++) != '\0');
1155         return 0;
1156
1157 too_long:
1158         pr_err("alg: generic driver name for \"%s\" would be too long\n",
1159                algname);
1160         return -ENAMETOOLONG;
1161 }
1162 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1163 static void crypto_disable_simd_for_test(void)
1164 {
1165 }
1166
1167 static void crypto_reenable_simd_for_test(void)
1168 {
1169 }
1170 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1171
1172 static int build_hash_sglist(struct test_sglist *tsgl,
1173                              const struct hash_testvec *vec,
1174                              const struct testvec_config *cfg,
1175                              unsigned int alignmask,
1176                              const struct test_sg_division *divs[XBUFSIZE])
1177 {
1178         struct kvec kv;
1179         struct iov_iter input;
1180
1181         kv.iov_base = (void *)vec->plaintext;
1182         kv.iov_len = vec->psize;
1183         iov_iter_kvec(&input, WRITE, &kv, 1, vec->psize);
1184         return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
1185                                  &input, divs);
1186 }
1187
1188 static int check_hash_result(const char *type,
1189                              const u8 *result, unsigned int digestsize,
1190                              const struct hash_testvec *vec,
1191                              const char *vec_name,
1192                              const char *driver,
1193                              const struct testvec_config *cfg)
1194 {
1195         if (memcmp(result, vec->digest, digestsize) != 0) {
1196                 pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
1197                        type, driver, vec_name, cfg->name);
1198                 return -EINVAL;
1199         }
1200         if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) {
1201                 pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n",
1202                        type, driver, vec_name, cfg->name);
1203                 return -EOVERFLOW;
1204         }
1205         return 0;
1206 }
1207
1208 static inline int check_shash_op(const char *op, int err,
1209                                  const char *driver, const char *vec_name,
1210                                  const struct testvec_config *cfg)
1211 {
1212         if (err)
1213                 pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1214                        driver, op, err, vec_name, cfg->name);
1215         return err;
1216 }
1217
1218 /* Test one hash test vector in one configuration, using the shash API */
1219 static int test_shash_vec_cfg(const struct hash_testvec *vec,
1220                               const char *vec_name,
1221                               const struct testvec_config *cfg,
1222                               struct shash_desc *desc,
1223                               struct test_sglist *tsgl,
1224                               u8 *hashstate)
1225 {
1226         struct crypto_shash *tfm = desc->tfm;
1227         const unsigned int alignmask = crypto_shash_alignmask(tfm);
1228         const unsigned int digestsize = crypto_shash_digestsize(tfm);
1229         const unsigned int statesize = crypto_shash_statesize(tfm);
1230         const char *driver = crypto_shash_driver_name(tfm);
1231         const struct test_sg_division *divs[XBUFSIZE];
1232         unsigned int i;
1233         u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1234         int err;
1235
1236         /* Set the key, if specified */
1237         if (vec->ksize) {
1238                 err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize,
1239                                 cfg, alignmask);
1240                 if (err) {
1241                         if (err == vec->setkey_error)
1242                                 return 0;
1243                         pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1244                                driver, vec_name, vec->setkey_error, err,
1245                                crypto_shash_get_flags(tfm));
1246                         return err;
1247                 }
1248                 if (vec->setkey_error) {
1249                         pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1250                                driver, vec_name, vec->setkey_error);
1251                         return -EINVAL;
1252                 }
1253         }
1254
1255         /* Build the scatterlist for the source data */
1256         err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1257         if (err) {
1258                 pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1259                        driver, vec_name, cfg->name);
1260                 return err;
1261         }
1262
1263         /* Do the actual hashing */
1264
1265         testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1266         testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1267
1268         if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1269             vec->digest_error) {
1270                 /* Just using digest() */
1271                 if (tsgl->nents != 1)
1272                         return 0;
1273                 if (cfg->nosimd)
1274                         crypto_disable_simd_for_test();
1275                 err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]),
1276                                           tsgl->sgl[0].length, result);
1277                 if (cfg->nosimd)
1278                         crypto_reenable_simd_for_test();
1279                 if (err) {
1280                         if (err == vec->digest_error)
1281                                 return 0;
1282                         pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1283                                driver, vec_name, vec->digest_error, err,
1284                                cfg->name);
1285                         return err;
1286                 }
1287                 if (vec->digest_error) {
1288                         pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1289                                driver, vec_name, vec->digest_error, cfg->name);
1290                         return -EINVAL;
1291                 }
1292                 goto result_ready;
1293         }
1294
1295         /* Using init(), zero or more update(), then final() or finup() */
1296
1297         if (cfg->nosimd)
1298                 crypto_disable_simd_for_test();
1299         err = crypto_shash_init(desc);
1300         if (cfg->nosimd)
1301                 crypto_reenable_simd_for_test();
1302         err = check_shash_op("init", err, driver, vec_name, cfg);
1303         if (err)
1304                 return err;
1305
1306         for (i = 0; i < tsgl->nents; i++) {
1307                 if (i + 1 == tsgl->nents &&
1308                     cfg->finalization_type == FINALIZATION_TYPE_FINUP) {
1309                         if (divs[i]->nosimd)
1310                                 crypto_disable_simd_for_test();
1311                         err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]),
1312                                                  tsgl->sgl[i].length, result);
1313                         if (divs[i]->nosimd)
1314                                 crypto_reenable_simd_for_test();
1315                         err = check_shash_op("finup", err, driver, vec_name,
1316                                              cfg);
1317                         if (err)
1318                                 return err;
1319                         goto result_ready;
1320                 }
1321                 if (divs[i]->nosimd)
1322                         crypto_disable_simd_for_test();
1323                 err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]),
1324                                           tsgl->sgl[i].length);
1325                 if (divs[i]->nosimd)
1326                         crypto_reenable_simd_for_test();
1327                 err = check_shash_op("update", err, driver, vec_name, cfg);
1328                 if (err)
1329                         return err;
1330                 if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1331                         /* Test ->export() and ->import() */
1332                         testmgr_poison(hashstate + statesize,
1333                                        TESTMGR_POISON_LEN);
1334                         err = crypto_shash_export(desc, hashstate);
1335                         err = check_shash_op("export", err, driver, vec_name,
1336                                              cfg);
1337                         if (err)
1338                                 return err;
1339                         if (!testmgr_is_poison(hashstate + statesize,
1340                                                TESTMGR_POISON_LEN)) {
1341                                 pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1342                                        driver, vec_name, cfg->name);
1343                                 return -EOVERFLOW;
1344                         }
1345                         testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1346                         err = crypto_shash_import(desc, hashstate);
1347                         err = check_shash_op("import", err, driver, vec_name,
1348                                              cfg);
1349                         if (err)
1350                                 return err;
1351                 }
1352         }
1353
1354         if (cfg->nosimd)
1355                 crypto_disable_simd_for_test();
1356         err = crypto_shash_final(desc, result);
1357         if (cfg->nosimd)
1358                 crypto_reenable_simd_for_test();
1359         err = check_shash_op("final", err, driver, vec_name, cfg);
1360         if (err)
1361                 return err;
1362 result_ready:
1363         return check_hash_result("shash", result, digestsize, vec, vec_name,
1364                                  driver, cfg);
1365 }
1366
1367 static int do_ahash_op(int (*op)(struct ahash_request *req),
1368                        struct ahash_request *req,
1369                        struct crypto_wait *wait, bool nosimd)
1370 {
1371         int err;
1372
1373         if (nosimd)
1374                 crypto_disable_simd_for_test();
1375
1376         err = op(req);
1377
1378         if (nosimd)
1379                 crypto_reenable_simd_for_test();
1380
1381         return crypto_wait_req(err, wait);
1382 }
1383
1384 static int check_nonfinal_ahash_op(const char *op, int err,
1385                                    u8 *result, unsigned int digestsize,
1386                                    const char *driver, const char *vec_name,
1387                                    const struct testvec_config *cfg)
1388 {
1389         if (err) {
1390                 pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1391                        driver, op, err, vec_name, cfg->name);
1392                 return err;
1393         }
1394         if (!testmgr_is_poison(result, digestsize)) {
1395                 pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n",
1396                        driver, op, vec_name, cfg->name);
1397                 return -EINVAL;
1398         }
1399         return 0;
1400 }
1401
1402 /* Test one hash test vector in one configuration, using the ahash API */
1403 static int test_ahash_vec_cfg(const struct hash_testvec *vec,
1404                               const char *vec_name,
1405                               const struct testvec_config *cfg,
1406                               struct ahash_request *req,
1407                               struct test_sglist *tsgl,
1408                               u8 *hashstate)
1409 {
1410         struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1411         const unsigned int alignmask = crypto_ahash_alignmask(tfm);
1412         const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1413         const unsigned int statesize = crypto_ahash_statesize(tfm);
1414         const char *driver = crypto_ahash_driver_name(tfm);
1415         const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1416         const struct test_sg_division *divs[XBUFSIZE];
1417         DECLARE_CRYPTO_WAIT(wait);
1418         unsigned int i;
1419         struct scatterlist *pending_sgl;
1420         unsigned int pending_len;
1421         u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1422         int err;
1423
1424         /* Set the key, if specified */
1425         if (vec->ksize) {
1426                 err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize,
1427                                 cfg, alignmask);
1428                 if (err) {
1429                         if (err == vec->setkey_error)
1430                                 return 0;
1431                         pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1432                                driver, vec_name, vec->setkey_error, err,
1433                                crypto_ahash_get_flags(tfm));
1434                         return err;
1435                 }
1436                 if (vec->setkey_error) {
1437                         pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1438                                driver, vec_name, vec->setkey_error);
1439                         return -EINVAL;
1440                 }
1441         }
1442
1443         /* Build the scatterlist for the source data */
1444         err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1445         if (err) {
1446                 pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1447                        driver, vec_name, cfg->name);
1448                 return err;
1449         }
1450
1451         /* Do the actual hashing */
1452
1453         testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1454         testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1455
1456         if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1457             vec->digest_error) {
1458                 /* Just using digest() */
1459                 ahash_request_set_callback(req, req_flags, crypto_req_done,
1460                                            &wait);
1461                 ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize);
1462                 err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd);
1463                 if (err) {
1464                         if (err == vec->digest_error)
1465                                 return 0;
1466                         pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1467                                driver, vec_name, vec->digest_error, err,
1468                                cfg->name);
1469                         return err;
1470                 }
1471                 if (vec->digest_error) {
1472                         pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1473                                driver, vec_name, vec->digest_error, cfg->name);
1474                         return -EINVAL;
1475                 }
1476                 goto result_ready;
1477         }
1478
1479         /* Using init(), zero or more update(), then final() or finup() */
1480
1481         ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1482         ahash_request_set_crypt(req, NULL, result, 0);
1483         err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd);
1484         err = check_nonfinal_ahash_op("init", err, result, digestsize,
1485                                       driver, vec_name, cfg);
1486         if (err)
1487                 return err;
1488
1489         pending_sgl = NULL;
1490         pending_len = 0;
1491         for (i = 0; i < tsgl->nents; i++) {
1492                 if (divs[i]->flush_type != FLUSH_TYPE_NONE &&
1493                     pending_sgl != NULL) {
1494                         /* update() with the pending data */
1495                         ahash_request_set_callback(req, req_flags,
1496                                                    crypto_req_done, &wait);
1497                         ahash_request_set_crypt(req, pending_sgl, result,
1498                                                 pending_len);
1499                         err = do_ahash_op(crypto_ahash_update, req, &wait,
1500                                           divs[i]->nosimd);
1501                         err = check_nonfinal_ahash_op("update", err,
1502                                                       result, digestsize,
1503                                                       driver, vec_name, cfg);
1504                         if (err)
1505                                 return err;
1506                         pending_sgl = NULL;
1507                         pending_len = 0;
1508                 }
1509                 if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1510                         /* Test ->export() and ->import() */
1511                         testmgr_poison(hashstate + statesize,
1512                                        TESTMGR_POISON_LEN);
1513                         err = crypto_ahash_export(req, hashstate);
1514                         err = check_nonfinal_ahash_op("export", err,
1515                                                       result, digestsize,
1516                                                       driver, vec_name, cfg);
1517                         if (err)
1518                                 return err;
1519                         if (!testmgr_is_poison(hashstate + statesize,
1520                                                TESTMGR_POISON_LEN)) {
1521                                 pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1522                                        driver, vec_name, cfg->name);
1523                                 return -EOVERFLOW;
1524                         }
1525
1526                         testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1527                         err = crypto_ahash_import(req, hashstate);
1528                         err = check_nonfinal_ahash_op("import", err,
1529                                                       result, digestsize,
1530                                                       driver, vec_name, cfg);
1531                         if (err)
1532                                 return err;
1533                 }
1534                 if (pending_sgl == NULL)
1535                         pending_sgl = &tsgl->sgl[i];
1536                 pending_len += tsgl->sgl[i].length;
1537         }
1538
1539         ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1540         ahash_request_set_crypt(req, pending_sgl, result, pending_len);
1541         if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) {
1542                 /* finish with update() and final() */
1543                 err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd);
1544                 err = check_nonfinal_ahash_op("update", err, result, digestsize,
1545                                               driver, vec_name, cfg);
1546                 if (err)
1547                         return err;
1548                 err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd);
1549                 if (err) {
1550                         pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n",
1551                                driver, err, vec_name, cfg->name);
1552                         return err;
1553                 }
1554         } else {
1555                 /* finish with finup() */
1556                 err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd);
1557                 if (err) {
1558                         pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n",
1559                                driver, err, vec_name, cfg->name);
1560                         return err;
1561                 }
1562         }
1563
1564 result_ready:
1565         return check_hash_result("ahash", result, digestsize, vec, vec_name,
1566                                  driver, cfg);
1567 }
1568
1569 static int test_hash_vec_cfg(const struct hash_testvec *vec,
1570                              const char *vec_name,
1571                              const struct testvec_config *cfg,
1572                              struct ahash_request *req,
1573                              struct shash_desc *desc,
1574                              struct test_sglist *tsgl,
1575                              u8 *hashstate)
1576 {
1577         int err;
1578
1579         /*
1580          * For algorithms implemented as "shash", most bugs will be detected by
1581          * both the shash and ahash tests.  Test the shash API first so that the
1582          * failures involve less indirection, so are easier to debug.
1583          */
1584
1585         if (desc) {
1586                 err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl,
1587                                          hashstate);
1588                 if (err)
1589                         return err;
1590         }
1591
1592         return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate);
1593 }
1594
1595 static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num,
1596                          struct ahash_request *req, struct shash_desc *desc,
1597                          struct test_sglist *tsgl, u8 *hashstate)
1598 {
1599         char vec_name[16];
1600         unsigned int i;
1601         int err;
1602
1603         sprintf(vec_name, "%u", vec_num);
1604
1605         for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) {
1606                 err = test_hash_vec_cfg(vec, vec_name,
1607                                         &default_hash_testvec_configs[i],
1608                                         req, desc, tsgl, hashstate);
1609                 if (err)
1610                         return err;
1611         }
1612
1613 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1614         if (!noextratests) {
1615                 struct testvec_config cfg;
1616                 char cfgname[TESTVEC_CONFIG_NAMELEN];
1617
1618                 for (i = 0; i < fuzz_iterations; i++) {
1619                         generate_random_testvec_config(&cfg, cfgname,
1620                                                        sizeof(cfgname));
1621                         err = test_hash_vec_cfg(vec, vec_name, &cfg,
1622                                                 req, desc, tsgl, hashstate);
1623                         if (err)
1624                                 return err;
1625                         cond_resched();
1626                 }
1627         }
1628 #endif
1629         return 0;
1630 }
1631
1632 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1633 /*
1634  * Generate a hash test vector from the given implementation.
1635  * Assumes the buffers in 'vec' were already allocated.
1636  */
1637 static void generate_random_hash_testvec(struct shash_desc *desc,
1638                                          struct hash_testvec *vec,
1639                                          unsigned int maxkeysize,
1640                                          unsigned int maxdatasize,
1641                                          char *name, size_t max_namelen)
1642 {
1643         /* Data */
1644         vec->psize = generate_random_length(maxdatasize);
1645         generate_random_bytes((u8 *)vec->plaintext, vec->psize);
1646
1647         /*
1648          * Key: length in range [1, maxkeysize], but usually choose maxkeysize.
1649          * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0.
1650          */
1651         vec->setkey_error = 0;
1652         vec->ksize = 0;
1653         if (maxkeysize) {
1654                 vec->ksize = maxkeysize;
1655                 if (prandom_u32() % 4 == 0)
1656                         vec->ksize = 1 + (prandom_u32() % maxkeysize);
1657                 generate_random_bytes((u8 *)vec->key, vec->ksize);
1658
1659                 vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key,
1660                                                         vec->ksize);
1661                 /* If the key couldn't be set, no need to continue to digest. */
1662                 if (vec->setkey_error)
1663                         goto done;
1664         }
1665
1666         /* Digest */
1667         vec->digest_error = crypto_shash_digest(desc, vec->plaintext,
1668                                                 vec->psize, (u8 *)vec->digest);
1669 done:
1670         snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"",
1671                  vec->psize, vec->ksize);
1672 }
1673
1674 /*
1675  * Test the hash algorithm represented by @req against the corresponding generic
1676  * implementation, if one is available.
1677  */
1678 static int test_hash_vs_generic_impl(const char *generic_driver,
1679                                      unsigned int maxkeysize,
1680                                      struct ahash_request *req,
1681                                      struct shash_desc *desc,
1682                                      struct test_sglist *tsgl,
1683                                      u8 *hashstate)
1684 {
1685         struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1686         const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1687         const unsigned int blocksize = crypto_ahash_blocksize(tfm);
1688         const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
1689         const char *algname = crypto_hash_alg_common(tfm)->base.cra_name;
1690         const char *driver = crypto_ahash_driver_name(tfm);
1691         char _generic_driver[CRYPTO_MAX_ALG_NAME];
1692         struct crypto_shash *generic_tfm = NULL;
1693         struct shash_desc *generic_desc = NULL;
1694         unsigned int i;
1695         struct hash_testvec vec = { 0 };
1696         char vec_name[64];
1697         struct testvec_config *cfg;
1698         char cfgname[TESTVEC_CONFIG_NAMELEN];
1699         int err;
1700
1701         if (noextratests)
1702                 return 0;
1703
1704         if (!generic_driver) { /* Use default naming convention? */
1705                 err = build_generic_driver_name(algname, _generic_driver);
1706                 if (err)
1707                         return err;
1708                 generic_driver = _generic_driver;
1709         }
1710
1711         if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
1712                 return 0;
1713
1714         generic_tfm = crypto_alloc_shash(generic_driver, 0, 0);
1715         if (IS_ERR(generic_tfm)) {
1716                 err = PTR_ERR(generic_tfm);
1717                 if (err == -ENOENT) {
1718                         pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n",
1719                                 driver, generic_driver);
1720                         return 0;
1721                 }
1722                 pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n",
1723                        generic_driver, algname, err);
1724                 return err;
1725         }
1726
1727         cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
1728         if (!cfg) {
1729                 err = -ENOMEM;
1730                 goto out;
1731         }
1732
1733         generic_desc = kzalloc(sizeof(*desc) +
1734                                crypto_shash_descsize(generic_tfm), GFP_KERNEL);
1735         if (!generic_desc) {
1736                 err = -ENOMEM;
1737                 goto out;
1738         }
1739         generic_desc->tfm = generic_tfm;
1740
1741         /* Check the algorithm properties for consistency. */
1742
1743         if (digestsize != crypto_shash_digestsize(generic_tfm)) {
1744                 pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n",
1745                        driver, digestsize,
1746                        crypto_shash_digestsize(generic_tfm));
1747                 err = -EINVAL;
1748                 goto out;
1749         }
1750
1751         if (blocksize != crypto_shash_blocksize(generic_tfm)) {
1752                 pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n",
1753                        driver, blocksize, crypto_shash_blocksize(generic_tfm));
1754                 err = -EINVAL;
1755                 goto out;
1756         }
1757
1758         /*
1759          * Now generate test vectors using the generic implementation, and test
1760          * the other implementation against them.
1761          */
1762
1763         vec.key = kmalloc(maxkeysize, GFP_KERNEL);
1764         vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL);
1765         vec.digest = kmalloc(digestsize, GFP_KERNEL);
1766         if (!vec.key || !vec.plaintext || !vec.digest) {
1767                 err = -ENOMEM;
1768                 goto out;
1769         }
1770
1771         for (i = 0; i < fuzz_iterations * 8; i++) {
1772                 generate_random_hash_testvec(generic_desc, &vec,
1773                                              maxkeysize, maxdatasize,
1774                                              vec_name, sizeof(vec_name));
1775                 generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
1776
1777                 err = test_hash_vec_cfg(&vec, vec_name, cfg,
1778                                         req, desc, tsgl, hashstate);
1779                 if (err)
1780                         goto out;
1781                 cond_resched();
1782         }
1783         err = 0;
1784 out:
1785         kfree(cfg);
1786         kfree(vec.key);
1787         kfree(vec.plaintext);
1788         kfree(vec.digest);
1789         crypto_free_shash(generic_tfm);
1790         kfree_sensitive(generic_desc);
1791         return err;
1792 }
1793 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1794 static int test_hash_vs_generic_impl(const char *generic_driver,
1795                                      unsigned int maxkeysize,
1796                                      struct ahash_request *req,
1797                                      struct shash_desc *desc,
1798                                      struct test_sglist *tsgl,
1799                                      u8 *hashstate)
1800 {
1801         return 0;
1802 }
1803 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1804
1805 static int alloc_shash(const char *driver, u32 type, u32 mask,
1806                        struct crypto_shash **tfm_ret,
1807                        struct shash_desc **desc_ret)
1808 {
1809         struct crypto_shash *tfm;
1810         struct shash_desc *desc;
1811
1812         tfm = crypto_alloc_shash(driver, type, mask);
1813         if (IS_ERR(tfm)) {
1814                 if (PTR_ERR(tfm) == -ENOENT) {
1815                         /*
1816                          * This algorithm is only available through the ahash
1817                          * API, not the shash API, so skip the shash tests.
1818                          */
1819                         return 0;
1820                 }
1821                 pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n",
1822                        driver, PTR_ERR(tfm));
1823                 return PTR_ERR(tfm);
1824         }
1825
1826         desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
1827         if (!desc) {
1828                 crypto_free_shash(tfm);
1829                 return -ENOMEM;
1830         }
1831         desc->tfm = tfm;
1832
1833         *tfm_ret = tfm;
1834         *desc_ret = desc;
1835         return 0;
1836 }
1837
1838 static int __alg_test_hash(const struct hash_testvec *vecs,
1839                            unsigned int num_vecs, const char *driver,
1840                            u32 type, u32 mask,
1841                            const char *generic_driver, unsigned int maxkeysize)
1842 {
1843         struct crypto_ahash *atfm = NULL;
1844         struct ahash_request *req = NULL;
1845         struct crypto_shash *stfm = NULL;
1846         struct shash_desc *desc = NULL;
1847         struct test_sglist *tsgl = NULL;
1848         u8 *hashstate = NULL;
1849         unsigned int statesize;
1850         unsigned int i;
1851         int err;
1852
1853         /*
1854          * Always test the ahash API.  This works regardless of whether the
1855          * algorithm is implemented as ahash or shash.
1856          */
1857
1858         atfm = crypto_alloc_ahash(driver, type, mask);
1859         if (IS_ERR(atfm)) {
1860                 pr_err("alg: hash: failed to allocate transform for %s: %ld\n",
1861                        driver, PTR_ERR(atfm));
1862                 return PTR_ERR(atfm);
1863         }
1864         driver = crypto_ahash_driver_name(atfm);
1865
1866         req = ahash_request_alloc(atfm, GFP_KERNEL);
1867         if (!req) {
1868                 pr_err("alg: hash: failed to allocate request for %s\n",
1869                        driver);
1870                 err = -ENOMEM;
1871                 goto out;
1872         }
1873
1874         /*
1875          * If available also test the shash API, to cover corner cases that may
1876          * be missed by testing the ahash API only.
1877          */
1878         err = alloc_shash(driver, type, mask, &stfm, &desc);
1879         if (err)
1880                 goto out;
1881
1882         tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL);
1883         if (!tsgl || init_test_sglist(tsgl) != 0) {
1884                 pr_err("alg: hash: failed to allocate test buffers for %s\n",
1885                        driver);
1886                 kfree(tsgl);
1887                 tsgl = NULL;
1888                 err = -ENOMEM;
1889                 goto out;
1890         }
1891
1892         statesize = crypto_ahash_statesize(atfm);
1893         if (stfm)
1894                 statesize = max(statesize, crypto_shash_statesize(stfm));
1895         hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL);
1896         if (!hashstate) {
1897                 pr_err("alg: hash: failed to allocate hash state buffer for %s\n",
1898                        driver);
1899                 err = -ENOMEM;
1900                 goto out;
1901         }
1902
1903         for (i = 0; i < num_vecs; i++) {
1904                 if (fips_enabled && vecs[i].fips_skip)
1905                         continue;
1906
1907                 err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
1908                 if (err)
1909                         goto out;
1910                 cond_resched();
1911         }
1912         err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
1913                                         desc, tsgl, hashstate);
1914 out:
1915         kfree(hashstate);
1916         if (tsgl) {
1917                 destroy_test_sglist(tsgl);
1918                 kfree(tsgl);
1919         }
1920         kfree(desc);
1921         crypto_free_shash(stfm);
1922         ahash_request_free(req);
1923         crypto_free_ahash(atfm);
1924         return err;
1925 }
1926
1927 static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
1928                          u32 type, u32 mask)
1929 {
1930         const struct hash_testvec *template = desc->suite.hash.vecs;
1931         unsigned int tcount = desc->suite.hash.count;
1932         unsigned int nr_unkeyed, nr_keyed;
1933         unsigned int maxkeysize = 0;
1934         int err;
1935
1936         /*
1937          * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
1938          * first, before setting a key on the tfm.  To make this easier, we
1939          * require that the unkeyed test vectors (if any) are listed first.
1940          */
1941
1942         for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
1943                 if (template[nr_unkeyed].ksize)
1944                         break;
1945         }
1946         for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
1947                 if (!template[nr_unkeyed + nr_keyed].ksize) {
1948                         pr_err("alg: hash: test vectors for %s out of order, "
1949                                "unkeyed ones must come first\n", desc->alg);
1950                         return -EINVAL;
1951                 }
1952                 maxkeysize = max_t(unsigned int, maxkeysize,
1953                                    template[nr_unkeyed + nr_keyed].ksize);
1954         }
1955
1956         err = 0;
1957         if (nr_unkeyed) {
1958                 err = __alg_test_hash(template, nr_unkeyed, driver, type, mask,
1959                                       desc->generic_driver, maxkeysize);
1960                 template += nr_unkeyed;
1961         }
1962
1963         if (!err && nr_keyed)
1964                 err = __alg_test_hash(template, nr_keyed, driver, type, mask,
1965                                       desc->generic_driver, maxkeysize);
1966
1967         return err;
1968 }
1969
1970 static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec,
1971                              const char *vec_name,
1972                              const struct testvec_config *cfg,
1973                              struct aead_request *req,
1974                              struct cipher_test_sglists *tsgls)
1975 {
1976         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
1977         const unsigned int alignmask = crypto_aead_alignmask(tfm);
1978         const unsigned int ivsize = crypto_aead_ivsize(tfm);
1979         const unsigned int authsize = vec->clen - vec->plen;
1980         const char *driver = crypto_aead_driver_name(tfm);
1981         const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1982         const char *op = enc ? "encryption" : "decryption";
1983         DECLARE_CRYPTO_WAIT(wait);
1984         u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
1985         u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
1986                  cfg->iv_offset +
1987                  (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
1988         struct kvec input[2];
1989         int err;
1990
1991         /* Set the key */
1992         if (vec->wk)
1993                 crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1994         else
1995                 crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1996
1997         err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen,
1998                         cfg, alignmask);
1999         if (err && err != vec->setkey_error) {
2000                 pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2001                        driver, vec_name, vec->setkey_error, err,
2002                        crypto_aead_get_flags(tfm));
2003                 return err;
2004         }
2005         if (!err && vec->setkey_error) {
2006                 pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2007                        driver, vec_name, vec->setkey_error);
2008                 return -EINVAL;
2009         }
2010
2011         /* Set the authentication tag size */
2012         err = crypto_aead_setauthsize(tfm, authsize);
2013         if (err && err != vec->setauthsize_error) {
2014                 pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n",
2015                        driver, vec_name, vec->setauthsize_error, err);
2016                 return err;
2017         }
2018         if (!err && vec->setauthsize_error) {
2019                 pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n",
2020                        driver, vec_name, vec->setauthsize_error);
2021                 return -EINVAL;
2022         }
2023
2024         if (vec->setkey_error || vec->setauthsize_error)
2025                 return 0;
2026
2027         /* The IV must be copied to a buffer, as the algorithm may modify it */
2028         if (WARN_ON(ivsize > MAX_IVLEN))
2029                 return -EINVAL;
2030         if (vec->iv)
2031                 memcpy(iv, vec->iv, ivsize);
2032         else
2033                 memset(iv, 0, ivsize);
2034
2035         /* Build the src/dst scatterlists */
2036         input[0].iov_base = (void *)vec->assoc;
2037         input[0].iov_len = vec->alen;
2038         input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2039         input[1].iov_len = enc ? vec->plen : vec->clen;
2040         err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2041                                         vec->alen + (enc ? vec->plen :
2042                                                      vec->clen),
2043                                         vec->alen + (enc ? vec->clen :
2044                                                      vec->plen),
2045                                         input, 2);
2046         if (err) {
2047                 pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2048                        driver, op, vec_name, cfg->name);
2049                 return err;
2050         }
2051
2052         /* Do the actual encryption or decryption */
2053         testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm));
2054         aead_request_set_callback(req, req_flags, crypto_req_done, &wait);
2055         aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2056                                enc ? vec->plen : vec->clen, iv);
2057         aead_request_set_ad(req, vec->alen);
2058         if (cfg->nosimd)
2059                 crypto_disable_simd_for_test();
2060         err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
2061         if (cfg->nosimd)
2062                 crypto_reenable_simd_for_test();
2063         err = crypto_wait_req(err, &wait);
2064
2065         /* Check that the algorithm didn't overwrite things it shouldn't have */
2066         if (req->cryptlen != (enc ? vec->plen : vec->clen) ||
2067             req->assoclen != vec->alen ||
2068             req->iv != iv ||
2069             req->src != tsgls->src.sgl_ptr ||
2070             req->dst != tsgls->dst.sgl_ptr ||
2071             crypto_aead_reqtfm(req) != tfm ||
2072             req->base.complete != crypto_req_done ||
2073             req->base.flags != req_flags ||
2074             req->base.data != &wait) {
2075                 pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2076                        driver, op, vec_name, cfg->name);
2077                 if (req->cryptlen != (enc ? vec->plen : vec->clen))
2078                         pr_err("alg: aead: changed 'req->cryptlen'\n");
2079                 if (req->assoclen != vec->alen)
2080                         pr_err("alg: aead: changed 'req->assoclen'\n");
2081                 if (req->iv != iv)
2082                         pr_err("alg: aead: changed 'req->iv'\n");
2083                 if (req->src != tsgls->src.sgl_ptr)
2084                         pr_err("alg: aead: changed 'req->src'\n");
2085                 if (req->dst != tsgls->dst.sgl_ptr)
2086                         pr_err("alg: aead: changed 'req->dst'\n");
2087                 if (crypto_aead_reqtfm(req) != tfm)
2088                         pr_err("alg: aead: changed 'req->base.tfm'\n");
2089                 if (req->base.complete != crypto_req_done)
2090                         pr_err("alg: aead: changed 'req->base.complete'\n");
2091                 if (req->base.flags != req_flags)
2092                         pr_err("alg: aead: changed 'req->base.flags'\n");
2093                 if (req->base.data != &wait)
2094                         pr_err("alg: aead: changed 'req->base.data'\n");
2095                 return -EINVAL;
2096         }
2097         if (is_test_sglist_corrupted(&tsgls->src)) {
2098                 pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2099                        driver, op, vec_name, cfg->name);
2100                 return -EINVAL;
2101         }
2102         if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2103             is_test_sglist_corrupted(&tsgls->dst)) {
2104                 pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2105                        driver, op, vec_name, cfg->name);
2106                 return -EINVAL;
2107         }
2108
2109         /* Check for unexpected success or failure, or wrong error code */
2110         if ((err == 0 && vec->novrfy) ||
2111             (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) {
2112                 char expected_error[32];
2113
2114                 if (vec->novrfy &&
2115                     vec->crypt_error != 0 && vec->crypt_error != -EBADMSG)
2116                         sprintf(expected_error, "-EBADMSG or %d",
2117                                 vec->crypt_error);
2118                 else if (vec->novrfy)
2119                         sprintf(expected_error, "-EBADMSG");
2120                 else
2121                         sprintf(expected_error, "%d", vec->crypt_error);
2122                 if (err) {
2123                         pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n",
2124                                driver, op, vec_name, expected_error, err,
2125                                cfg->name);
2126                         return err;
2127                 }
2128                 pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n",
2129                        driver, op, vec_name, expected_error, cfg->name);
2130                 return -EINVAL;
2131         }
2132         if (err) /* Expectedly failed. */
2133                 return 0;
2134
2135         /* Check for the correct output (ciphertext or plaintext) */
2136         err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2137                                     enc ? vec->clen : vec->plen,
2138                                     vec->alen,
2139                                     enc || cfg->inplace_mode == OUT_OF_PLACE);
2140         if (err == -EOVERFLOW) {
2141                 pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2142                        driver, op, vec_name, cfg->name);
2143                 return err;
2144         }
2145         if (err) {
2146                 pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2147                        driver, op, vec_name, cfg->name);
2148                 return err;
2149         }
2150
2151         return 0;
2152 }
2153
2154 static int test_aead_vec(int enc, const struct aead_testvec *vec,
2155                          unsigned int vec_num, struct aead_request *req,
2156                          struct cipher_test_sglists *tsgls)
2157 {
2158         char vec_name[16];
2159         unsigned int i;
2160         int err;
2161
2162         if (enc && vec->novrfy)
2163                 return 0;
2164
2165         sprintf(vec_name, "%u", vec_num);
2166
2167         for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2168                 err = test_aead_vec_cfg(enc, vec, vec_name,
2169                                         &default_cipher_testvec_configs[i],
2170                                         req, tsgls);
2171                 if (err)
2172                         return err;
2173         }
2174
2175 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2176         if (!noextratests) {
2177                 struct testvec_config cfg;
2178                 char cfgname[TESTVEC_CONFIG_NAMELEN];
2179
2180                 for (i = 0; i < fuzz_iterations; i++) {
2181                         generate_random_testvec_config(&cfg, cfgname,
2182                                                        sizeof(cfgname));
2183                         err = test_aead_vec_cfg(enc, vec, vec_name,
2184                                                 &cfg, req, tsgls);
2185                         if (err)
2186                                 return err;
2187                         cond_resched();
2188                 }
2189         }
2190 #endif
2191         return 0;
2192 }
2193
2194 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2195
2196 struct aead_extra_tests_ctx {
2197         struct aead_request *req;
2198         struct crypto_aead *tfm;
2199         const struct alg_test_desc *test_desc;
2200         struct cipher_test_sglists *tsgls;
2201         unsigned int maxdatasize;
2202         unsigned int maxkeysize;
2203
2204         struct aead_testvec vec;
2205         char vec_name[64];
2206         char cfgname[TESTVEC_CONFIG_NAMELEN];
2207         struct testvec_config cfg;
2208 };
2209
2210 /*
2211  * Make at least one random change to a (ciphertext, AAD) pair.  "Ciphertext"
2212  * here means the full ciphertext including the authentication tag.  The
2213  * authentication tag (and hence also the ciphertext) is assumed to be nonempty.
2214  */
2215 static void mutate_aead_message(struct aead_testvec *vec, bool aad_iv,
2216                                 unsigned int ivsize)
2217 {
2218         const unsigned int aad_tail_size = aad_iv ? ivsize : 0;
2219         const unsigned int authsize = vec->clen - vec->plen;
2220
2221         if (prandom_u32() % 2 == 0 && vec->alen > aad_tail_size) {
2222                  /* Mutate the AAD */
2223                 flip_random_bit((u8 *)vec->assoc, vec->alen - aad_tail_size);
2224                 if (prandom_u32() % 2 == 0)
2225                         return;
2226         }
2227         if (prandom_u32() % 2 == 0) {
2228                 /* Mutate auth tag (assuming it's at the end of ciphertext) */
2229                 flip_random_bit((u8 *)vec->ctext + vec->plen, authsize);
2230         } else {
2231                 /* Mutate any part of the ciphertext */
2232                 flip_random_bit((u8 *)vec->ctext, vec->clen);
2233         }
2234 }
2235
2236 /*
2237  * Minimum authentication tag size in bytes at which we assume that we can
2238  * reliably generate inauthentic messages, i.e. not generate an authentic
2239  * message by chance.
2240  */
2241 #define MIN_COLLISION_FREE_AUTHSIZE 8
2242
2243 static void generate_aead_message(struct aead_request *req,
2244                                   const struct aead_test_suite *suite,
2245                                   struct aead_testvec *vec,
2246                                   bool prefer_inauthentic)
2247 {
2248         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2249         const unsigned int ivsize = crypto_aead_ivsize(tfm);
2250         const unsigned int authsize = vec->clen - vec->plen;
2251         const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) &&
2252                                  (prefer_inauthentic || prandom_u32() % 4 == 0);
2253
2254         /* Generate the AAD. */
2255         generate_random_bytes((u8 *)vec->assoc, vec->alen);
2256         if (suite->aad_iv && vec->alen >= ivsize)
2257                 /* Avoid implementation-defined behavior. */
2258                 memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize);
2259
2260         if (inauthentic && prandom_u32() % 2 == 0) {
2261                 /* Generate a random ciphertext. */
2262                 generate_random_bytes((u8 *)vec->ctext, vec->clen);
2263         } else {
2264                 int i = 0;
2265                 struct scatterlist src[2], dst;
2266                 u8 iv[MAX_IVLEN];
2267                 DECLARE_CRYPTO_WAIT(wait);
2268
2269                 /* Generate a random plaintext and encrypt it. */
2270                 sg_init_table(src, 2);
2271                 if (vec->alen)
2272                         sg_set_buf(&src[i++], vec->assoc, vec->alen);
2273                 if (vec->plen) {
2274                         generate_random_bytes((u8 *)vec->ptext, vec->plen);
2275                         sg_set_buf(&src[i++], vec->ptext, vec->plen);
2276                 }
2277                 sg_init_one(&dst, vec->ctext, vec->alen + vec->clen);
2278                 memcpy(iv, vec->iv, ivsize);
2279                 aead_request_set_callback(req, 0, crypto_req_done, &wait);
2280                 aead_request_set_crypt(req, src, &dst, vec->plen, iv);
2281                 aead_request_set_ad(req, vec->alen);
2282                 vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req),
2283                                                    &wait);
2284                 /* If encryption failed, we're done. */
2285                 if (vec->crypt_error != 0)
2286                         return;
2287                 memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen);
2288                 if (!inauthentic)
2289                         return;
2290                 /*
2291                  * Mutate the authentic (ciphertext, AAD) pair to get an
2292                  * inauthentic one.
2293                  */
2294                 mutate_aead_message(vec, suite->aad_iv, ivsize);
2295         }
2296         vec->novrfy = 1;
2297         if (suite->einval_allowed)
2298                 vec->crypt_error = -EINVAL;
2299 }
2300
2301 /*
2302  * Generate an AEAD test vector 'vec' using the implementation specified by
2303  * 'req'.  The buffers in 'vec' must already be allocated.
2304  *
2305  * If 'prefer_inauthentic' is true, then this function will generate inauthentic
2306  * test vectors (i.e. vectors with 'vec->novrfy=1') more often.
2307  */
2308 static void generate_random_aead_testvec(struct aead_request *req,
2309                                          struct aead_testvec *vec,
2310                                          const struct aead_test_suite *suite,
2311                                          unsigned int maxkeysize,
2312                                          unsigned int maxdatasize,
2313                                          char *name, size_t max_namelen,
2314                                          bool prefer_inauthentic)
2315 {
2316         struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2317         const unsigned int ivsize = crypto_aead_ivsize(tfm);
2318         const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm);
2319         unsigned int authsize;
2320         unsigned int total_len;
2321
2322         /* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2323         vec->klen = maxkeysize;
2324         if (prandom_u32() % 4 == 0)
2325                 vec->klen = prandom_u32() % (maxkeysize + 1);
2326         generate_random_bytes((u8 *)vec->key, vec->klen);
2327         vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen);
2328
2329         /* IV */
2330         generate_random_bytes((u8 *)vec->iv, ivsize);
2331
2332         /* Tag length: in [0, maxauthsize], but usually choose maxauthsize */
2333         authsize = maxauthsize;
2334         if (prandom_u32() % 4 == 0)
2335                 authsize = prandom_u32() % (maxauthsize + 1);
2336         if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE)
2337                 authsize = MIN_COLLISION_FREE_AUTHSIZE;
2338         if (WARN_ON(authsize > maxdatasize))
2339                 authsize = maxdatasize;
2340         maxdatasize -= authsize;
2341         vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize);
2342
2343         /* AAD, plaintext, and ciphertext lengths */
2344         total_len = generate_random_length(maxdatasize);
2345         if (prandom_u32() % 4 == 0)
2346                 vec->alen = 0;
2347         else
2348                 vec->alen = generate_random_length(total_len);
2349         vec->plen = total_len - vec->alen;
2350         vec->clen = vec->plen + authsize;
2351
2352         /*
2353          * Generate the AAD, plaintext, and ciphertext.  Not applicable if the
2354          * key or the authentication tag size couldn't be set.
2355          */
2356         vec->novrfy = 0;
2357         vec->crypt_error = 0;
2358         if (vec->setkey_error == 0 && vec->setauthsize_error == 0)
2359                 generate_aead_message(req, suite, vec, prefer_inauthentic);
2360         snprintf(name, max_namelen,
2361                  "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"",
2362                  vec->alen, vec->plen, authsize, vec->klen, vec->novrfy);
2363 }
2364
2365 static void try_to_generate_inauthentic_testvec(
2366                                         struct aead_extra_tests_ctx *ctx)
2367 {
2368         int i;
2369
2370         for (i = 0; i < 10; i++) {
2371                 generate_random_aead_testvec(ctx->req, &ctx->vec,
2372                                              &ctx->test_desc->suite.aead,
2373                                              ctx->maxkeysize, ctx->maxdatasize,
2374                                              ctx->vec_name,
2375                                              sizeof(ctx->vec_name), true);
2376                 if (ctx->vec.novrfy)
2377                         return;
2378         }
2379 }
2380
2381 /*
2382  * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the
2383  * result of an encryption with the key) and verify that decryption fails.
2384  */
2385 static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx)
2386 {
2387         unsigned int i;
2388         int err;
2389
2390         for (i = 0; i < fuzz_iterations * 8; i++) {
2391                 /*
2392                  * Since this part of the tests isn't comparing the
2393                  * implementation to another, there's no point in testing any
2394                  * test vectors other than inauthentic ones (vec.novrfy=1) here.
2395                  *
2396                  * If we're having trouble generating such a test vector, e.g.
2397                  * if the algorithm keeps rejecting the generated keys, don't
2398                  * retry forever; just continue on.
2399                  */
2400                 try_to_generate_inauthentic_testvec(ctx);
2401                 if (ctx->vec.novrfy) {
2402                         generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2403                                                        sizeof(ctx->cfgname));
2404                         err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2405                                                 ctx->vec_name, &ctx->cfg,
2406                                                 ctx->req, ctx->tsgls);
2407                         if (err)
2408                                 return err;
2409                 }
2410                 cond_resched();
2411         }
2412         return 0;
2413 }
2414
2415 /*
2416  * Test the AEAD algorithm against the corresponding generic implementation, if
2417  * one is available.
2418  */
2419 static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx)
2420 {
2421         struct crypto_aead *tfm = ctx->tfm;
2422         const char *algname = crypto_aead_alg(tfm)->base.cra_name;
2423         const char *driver = crypto_aead_driver_name(tfm);
2424         const char *generic_driver = ctx->test_desc->generic_driver;
2425         char _generic_driver[CRYPTO_MAX_ALG_NAME];
2426         struct crypto_aead *generic_tfm = NULL;
2427         struct aead_request *generic_req = NULL;
2428         unsigned int i;
2429         int err;
2430
2431         if (!generic_driver) { /* Use default naming convention? */
2432                 err = build_generic_driver_name(algname, _generic_driver);
2433                 if (err)
2434                         return err;
2435                 generic_driver = _generic_driver;
2436         }
2437
2438         if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
2439                 return 0;
2440
2441         generic_tfm = crypto_alloc_aead(generic_driver, 0, 0);
2442         if (IS_ERR(generic_tfm)) {
2443                 err = PTR_ERR(generic_tfm);
2444                 if (err == -ENOENT) {
2445                         pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n",
2446                                 driver, generic_driver);
2447                         return 0;
2448                 }
2449                 pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n",
2450                        generic_driver, algname, err);
2451                 return err;
2452         }
2453
2454         generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL);
2455         if (!generic_req) {
2456                 err = -ENOMEM;
2457                 goto out;
2458         }
2459
2460         /* Check the algorithm properties for consistency. */
2461
2462         if (crypto_aead_maxauthsize(tfm) !=
2463             crypto_aead_maxauthsize(generic_tfm)) {
2464                 pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n",
2465                        driver, crypto_aead_maxauthsize(tfm),
2466                        crypto_aead_maxauthsize(generic_tfm));
2467                 err = -EINVAL;
2468                 goto out;
2469         }
2470
2471         if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) {
2472                 pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n",
2473                        driver, crypto_aead_ivsize(tfm),
2474                        crypto_aead_ivsize(generic_tfm));
2475                 err = -EINVAL;
2476                 goto out;
2477         }
2478
2479         if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) {
2480                 pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n",
2481                        driver, crypto_aead_blocksize(tfm),
2482                        crypto_aead_blocksize(generic_tfm));
2483                 err = -EINVAL;
2484                 goto out;
2485         }
2486
2487         /*
2488          * Now generate test vectors using the generic implementation, and test
2489          * the other implementation against them.
2490          */
2491         for (i = 0; i < fuzz_iterations * 8; i++) {
2492                 generate_random_aead_testvec(generic_req, &ctx->vec,
2493                                              &ctx->test_desc->suite.aead,
2494                                              ctx->maxkeysize, ctx->maxdatasize,
2495                                              ctx->vec_name,
2496                                              sizeof(ctx->vec_name), false);
2497                 generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2498                                                sizeof(ctx->cfgname));
2499                 if (!ctx->vec.novrfy) {
2500                         err = test_aead_vec_cfg(ENCRYPT, &ctx->vec,
2501                                                 ctx->vec_name, &ctx->cfg,
2502                                                 ctx->req, ctx->tsgls);
2503                         if (err)
2504                                 goto out;
2505                 }
2506                 if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) {
2507                         err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2508                                                 ctx->vec_name, &ctx->cfg,
2509                                                 ctx->req, ctx->tsgls);
2510                         if (err)
2511                                 goto out;
2512                 }
2513                 cond_resched();
2514         }
2515         err = 0;
2516 out:
2517         crypto_free_aead(generic_tfm);
2518         aead_request_free(generic_req);
2519         return err;
2520 }
2521
2522 static int test_aead_extra(const struct alg_test_desc *test_desc,
2523                            struct aead_request *req,
2524                            struct cipher_test_sglists *tsgls)
2525 {
2526         struct aead_extra_tests_ctx *ctx;
2527         unsigned int i;
2528         int err;
2529
2530         if (noextratests)
2531                 return 0;
2532
2533         ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2534         if (!ctx)
2535                 return -ENOMEM;
2536         ctx->req = req;
2537         ctx->tfm = crypto_aead_reqtfm(req);
2538         ctx->test_desc = test_desc;
2539         ctx->tsgls = tsgls;
2540         ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
2541         ctx->maxkeysize = 0;
2542         for (i = 0; i < test_desc->suite.aead.count; i++)
2543                 ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize,
2544                                         test_desc->suite.aead.vecs[i].klen);
2545
2546         ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL);
2547         ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL);
2548         ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2549         ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2550         ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2551         if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc ||
2552             !ctx->vec.ptext || !ctx->vec.ctext) {
2553                 err = -ENOMEM;
2554                 goto out;
2555         }
2556
2557         err = test_aead_vs_generic_impl(ctx);
2558         if (err)
2559                 goto out;
2560
2561         err = test_aead_inauthentic_inputs(ctx);
2562 out:
2563         kfree(ctx->vec.key);
2564         kfree(ctx->vec.iv);
2565         kfree(ctx->vec.assoc);
2566         kfree(ctx->vec.ptext);
2567         kfree(ctx->vec.ctext);
2568         kfree(ctx);
2569         return err;
2570 }
2571 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2572 static int test_aead_extra(const struct alg_test_desc *test_desc,
2573                            struct aead_request *req,
2574                            struct cipher_test_sglists *tsgls)
2575 {
2576         return 0;
2577 }
2578 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2579
2580 static int test_aead(int enc, const struct aead_test_suite *suite,
2581                      struct aead_request *req,
2582                      struct cipher_test_sglists *tsgls)
2583 {
2584         unsigned int i;
2585         int err;
2586
2587         for (i = 0; i < suite->count; i++) {
2588                 err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls);
2589                 if (err)
2590                         return err;
2591                 cond_resched();
2592         }
2593         return 0;
2594 }
2595
2596 static int alg_test_aead(const struct alg_test_desc *desc, const char *driver,
2597                          u32 type, u32 mask)
2598 {
2599         const struct aead_test_suite *suite = &desc->suite.aead;
2600         struct crypto_aead *tfm;
2601         struct aead_request *req = NULL;
2602         struct cipher_test_sglists *tsgls = NULL;
2603         int err;
2604
2605         if (suite->count <= 0) {
2606                 pr_err("alg: aead: empty test suite for %s\n", driver);
2607                 return -EINVAL;
2608         }
2609
2610         tfm = crypto_alloc_aead(driver, type, mask);
2611         if (IS_ERR(tfm)) {
2612                 pr_err("alg: aead: failed to allocate transform for %s: %ld\n",
2613                        driver, PTR_ERR(tfm));
2614                 return PTR_ERR(tfm);
2615         }
2616         driver = crypto_aead_driver_name(tfm);
2617
2618         req = aead_request_alloc(tfm, GFP_KERNEL);
2619         if (!req) {
2620                 pr_err("alg: aead: failed to allocate request for %s\n",
2621                        driver);
2622                 err = -ENOMEM;
2623                 goto out;
2624         }
2625
2626         tsgls = alloc_cipher_test_sglists();
2627         if (!tsgls) {
2628                 pr_err("alg: aead: failed to allocate test buffers for %s\n",
2629                        driver);
2630                 err = -ENOMEM;
2631                 goto out;
2632         }
2633
2634         err = test_aead(ENCRYPT, suite, req, tsgls);
2635         if (err)
2636                 goto out;
2637
2638         err = test_aead(DECRYPT, suite, req, tsgls);
2639         if (err)
2640                 goto out;
2641
2642         err = test_aead_extra(desc, req, tsgls);
2643 out:
2644         free_cipher_test_sglists(tsgls);
2645         aead_request_free(req);
2646         crypto_free_aead(tfm);
2647         return err;
2648 }
2649
2650 static int test_cipher(struct crypto_cipher *tfm, int enc,
2651                        const struct cipher_testvec *template,
2652                        unsigned int tcount)
2653 {
2654         const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
2655         unsigned int i, j, k;
2656         char *q;
2657         const char *e;
2658         const char *input, *result;
2659         void *data;
2660         char *xbuf[XBUFSIZE];
2661         int ret = -ENOMEM;
2662
2663         if (testmgr_alloc_buf(xbuf))
2664                 goto out_nobuf;
2665
2666         if (enc == ENCRYPT)
2667                 e = "encryption";
2668         else
2669                 e = "decryption";
2670
2671         j = 0;
2672         for (i = 0; i < tcount; i++) {
2673
2674                 if (fips_enabled && template[i].fips_skip)
2675                         continue;
2676
2677                 input  = enc ? template[i].ptext : template[i].ctext;
2678                 result = enc ? template[i].ctext : template[i].ptext;
2679                 j++;
2680
2681                 ret = -EINVAL;
2682                 if (WARN_ON(template[i].len > PAGE_SIZE))
2683                         goto out;
2684
2685                 data = xbuf[0];
2686                 memcpy(data, input, template[i].len);
2687
2688                 crypto_cipher_clear_flags(tfm, ~0);
2689                 if (template[i].wk)
2690                         crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2691
2692                 ret = crypto_cipher_setkey(tfm, template[i].key,
2693                                            template[i].klen);
2694                 if (ret) {
2695                         if (ret == template[i].setkey_error)
2696                                 continue;
2697                         pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n",
2698                                algo, j, template[i].setkey_error, ret,
2699                                crypto_cipher_get_flags(tfm));
2700                         goto out;
2701                 }
2702                 if (template[i].setkey_error) {
2703                         pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n",
2704                                algo, j, template[i].setkey_error);
2705                         ret = -EINVAL;
2706                         goto out;
2707                 }
2708
2709                 for (k = 0; k < template[i].len;
2710                      k += crypto_cipher_blocksize(tfm)) {
2711                         if (enc)
2712                                 crypto_cipher_encrypt_one(tfm, data + k,
2713                                                           data + k);
2714                         else
2715                                 crypto_cipher_decrypt_one(tfm, data + k,
2716                                                           data + k);
2717                 }
2718
2719                 q = data;
2720                 if (memcmp(q, result, template[i].len)) {
2721                         printk(KERN_ERR "alg: cipher: Test %d failed "
2722                                "on %s for %s\n", j, e, algo);
2723                         hexdump(q, template[i].len);
2724                         ret = -EINVAL;
2725                         goto out;
2726                 }
2727         }
2728
2729         ret = 0;
2730
2731 out:
2732         testmgr_free_buf(xbuf);
2733 out_nobuf:
2734         return ret;
2735 }
2736
2737 static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec,
2738                                  const char *vec_name,
2739                                  const struct testvec_config *cfg,
2740                                  struct skcipher_request *req,
2741                                  struct cipher_test_sglists *tsgls)
2742 {
2743         struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2744         const unsigned int alignmask = crypto_skcipher_alignmask(tfm);
2745         const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2746         const char *driver = crypto_skcipher_driver_name(tfm);
2747         const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
2748         const char *op = enc ? "encryption" : "decryption";
2749         DECLARE_CRYPTO_WAIT(wait);
2750         u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
2751         u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
2752                  cfg->iv_offset +
2753                  (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
2754         struct kvec input;
2755         int err;
2756
2757         /* Set the key */
2758         if (vec->wk)
2759                 crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2760         else
2761                 crypto_skcipher_clear_flags(tfm,
2762                                             CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2763         err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen,
2764                         cfg, alignmask);
2765         if (err) {
2766                 if (err == vec->setkey_error)
2767                         return 0;
2768                 pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2769                        driver, vec_name, vec->setkey_error, err,
2770                        crypto_skcipher_get_flags(tfm));
2771                 return err;
2772         }
2773         if (vec->setkey_error) {
2774                 pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2775                        driver, vec_name, vec->setkey_error);
2776                 return -EINVAL;
2777         }
2778
2779         /* The IV must be copied to a buffer, as the algorithm may modify it */
2780         if (ivsize) {
2781                 if (WARN_ON(ivsize > MAX_IVLEN))
2782                         return -EINVAL;
2783                 if (vec->generates_iv && !enc)
2784                         memcpy(iv, vec->iv_out, ivsize);
2785                 else if (vec->iv)
2786                         memcpy(iv, vec->iv, ivsize);
2787                 else
2788                         memset(iv, 0, ivsize);
2789         } else {
2790                 if (vec->generates_iv) {
2791                         pr_err("alg: skcipher: %s has ivsize=0 but test vector %s generates IV!\n",
2792                                driver, vec_name);
2793                         return -EINVAL;
2794                 }
2795                 iv = NULL;
2796         }
2797
2798         /* Build the src/dst scatterlists */
2799         input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2800         input.iov_len = vec->len;
2801         err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2802                                         vec->len, vec->len, &input, 1);
2803         if (err) {
2804                 pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2805                        driver, op, vec_name, cfg->name);
2806                 return err;
2807         }
2808
2809         /* Do the actual encryption or decryption */
2810         testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm));
2811         skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait);
2812         skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2813                                    vec->len, iv);
2814         if (cfg->nosimd)
2815                 crypto_disable_simd_for_test();
2816         err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
2817         if (cfg->nosimd)
2818                 crypto_reenable_simd_for_test();
2819         err = crypto_wait_req(err, &wait);
2820
2821         /* Check that the algorithm didn't overwrite things it shouldn't have */
2822         if (req->cryptlen != vec->len ||
2823             req->iv != iv ||
2824             req->src != tsgls->src.sgl_ptr ||
2825             req->dst != tsgls->dst.sgl_ptr ||
2826             crypto_skcipher_reqtfm(req) != tfm ||
2827             req->base.complete != crypto_req_done ||
2828             req->base.flags != req_flags ||
2829             req->base.data != &wait) {
2830                 pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2831                        driver, op, vec_name, cfg->name);
2832                 if (req->cryptlen != vec->len)
2833                         pr_err("alg: skcipher: changed 'req->cryptlen'\n");
2834                 if (req->iv != iv)
2835                         pr_err("alg: skcipher: changed 'req->iv'\n");
2836                 if (req->src != tsgls->src.sgl_ptr)
2837                         pr_err("alg: skcipher: changed 'req->src'\n");
2838                 if (req->dst != tsgls->dst.sgl_ptr)
2839                         pr_err("alg: skcipher: changed 'req->dst'\n");
2840                 if (crypto_skcipher_reqtfm(req) != tfm)
2841                         pr_err("alg: skcipher: changed 'req->base.tfm'\n");
2842                 if (req->base.complete != crypto_req_done)
2843                         pr_err("alg: skcipher: changed 'req->base.complete'\n");
2844                 if (req->base.flags != req_flags)
2845                         pr_err("alg: skcipher: changed 'req->base.flags'\n");
2846                 if (req->base.data != &wait)
2847                         pr_err("alg: skcipher: changed 'req->base.data'\n");
2848                 return -EINVAL;
2849         }
2850         if (is_test_sglist_corrupted(&tsgls->src)) {
2851                 pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2852                        driver, op, vec_name, cfg->name);
2853                 return -EINVAL;
2854         }
2855         if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2856             is_test_sglist_corrupted(&tsgls->dst)) {
2857                 pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2858                        driver, op, vec_name, cfg->name);
2859                 return -EINVAL;
2860         }
2861
2862         /* Check for success or failure */
2863         if (err) {
2864                 if (err == vec->crypt_error)
2865                         return 0;
2866                 pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
2867                        driver, op, vec_name, vec->crypt_error, err, cfg->name);
2868                 return err;
2869         }
2870         if (vec->crypt_error) {
2871                 pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
2872                        driver, op, vec_name, vec->crypt_error, cfg->name);
2873                 return -EINVAL;
2874         }
2875
2876         /* Check for the correct output (ciphertext or plaintext) */
2877         err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2878                                     vec->len, 0, true);
2879         if (err == -EOVERFLOW) {
2880                 pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2881                        driver, op, vec_name, cfg->name);
2882                 return err;
2883         }
2884         if (err) {
2885                 pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2886                        driver, op, vec_name, cfg->name);
2887                 return err;
2888         }
2889
2890         /* If applicable, check that the algorithm generated the correct IV */
2891         if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) {
2892                 pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n",
2893                        driver, op, vec_name, cfg->name);
2894                 hexdump(iv, ivsize);
2895                 return -EINVAL;
2896         }
2897
2898         return 0;
2899 }
2900
2901 static int test_skcipher_vec(int enc, const struct cipher_testvec *vec,
2902                              unsigned int vec_num,
2903                              struct skcipher_request *req,
2904                              struct cipher_test_sglists *tsgls)
2905 {
2906         char vec_name[16];
2907         unsigned int i;
2908         int err;
2909
2910         if (fips_enabled && vec->fips_skip)
2911                 return 0;
2912
2913         sprintf(vec_name, "%u", vec_num);
2914
2915         for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2916                 err = test_skcipher_vec_cfg(enc, vec, vec_name,
2917                                             &default_cipher_testvec_configs[i],
2918                                             req, tsgls);
2919                 if (err)
2920                         return err;
2921         }
2922
2923 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2924         if (!noextratests) {
2925                 struct testvec_config cfg;
2926                 char cfgname[TESTVEC_CONFIG_NAMELEN];
2927
2928                 for (i = 0; i < fuzz_iterations; i++) {
2929                         generate_random_testvec_config(&cfg, cfgname,
2930                                                        sizeof(cfgname));
2931                         err = test_skcipher_vec_cfg(enc, vec, vec_name,
2932                                                     &cfg, req, tsgls);
2933                         if (err)
2934                                 return err;
2935                         cond_resched();
2936                 }
2937         }
2938 #endif
2939         return 0;
2940 }
2941
2942 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2943 /*
2944  * Generate a symmetric cipher test vector from the given implementation.
2945  * Assumes the buffers in 'vec' were already allocated.
2946  */
2947 static void generate_random_cipher_testvec(struct skcipher_request *req,
2948                                            struct cipher_testvec *vec,
2949                                            unsigned int maxdatasize,
2950                                            char *name, size_t max_namelen)
2951 {
2952         struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2953         const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
2954         const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2955         struct scatterlist src, dst;
2956         u8 iv[MAX_IVLEN];
2957         DECLARE_CRYPTO_WAIT(wait);
2958
2959         /* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2960         vec->klen = maxkeysize;
2961         if (prandom_u32() % 4 == 0)
2962                 vec->klen = prandom_u32() % (maxkeysize + 1);
2963         generate_random_bytes((u8 *)vec->key, vec->klen);
2964         vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen);
2965
2966         /* IV */
2967         generate_random_bytes((u8 *)vec->iv, ivsize);
2968
2969         /* Plaintext */
2970         vec->len = generate_random_length(maxdatasize);
2971         generate_random_bytes((u8 *)vec->ptext, vec->len);
2972
2973         /* If the key couldn't be set, no need to continue to encrypt. */
2974         if (vec->setkey_error)
2975                 goto done;
2976
2977         /* Ciphertext */
2978         sg_init_one(&src, vec->ptext, vec->len);
2979         sg_init_one(&dst, vec->ctext, vec->len);
2980         memcpy(iv, vec->iv, ivsize);
2981         skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
2982         skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
2983         vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
2984         if (vec->crypt_error != 0) {
2985                 /*
2986                  * The only acceptable error here is for an invalid length, so
2987                  * skcipher decryption should fail with the same error too.
2988                  * We'll test for this.  But to keep the API usage well-defined,
2989                  * explicitly initialize the ciphertext buffer too.
2990                  */
2991                 memset((u8 *)vec->ctext, 0, vec->len);
2992         }
2993 done:
2994         snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
2995                  vec->len, vec->klen);
2996 }
2997
2998 /*
2999  * Test the skcipher algorithm represented by @req against the corresponding
3000  * generic implementation, if one is available.
3001  */
3002 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3003                                          struct skcipher_request *req,
3004                                          struct cipher_test_sglists *tsgls)
3005 {
3006         struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3007         const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3008         const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
3009         const unsigned int blocksize = crypto_skcipher_blocksize(tfm);
3010         const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
3011         const char *algname = crypto_skcipher_alg(tfm)->base.cra_name;
3012         const char *driver = crypto_skcipher_driver_name(tfm);
3013         char _generic_driver[CRYPTO_MAX_ALG_NAME];
3014         struct crypto_skcipher *generic_tfm = NULL;
3015         struct skcipher_request *generic_req = NULL;
3016         unsigned int i;
3017         struct cipher_testvec vec = { 0 };
3018         char vec_name[64];
3019         struct testvec_config *cfg;
3020         char cfgname[TESTVEC_CONFIG_NAMELEN];
3021         int err;
3022
3023         if (noextratests)
3024                 return 0;
3025
3026         /* Keywrap isn't supported here yet as it handles its IV differently. */
3027         if (strncmp(algname, "kw(", 3) == 0)
3028                 return 0;
3029
3030         if (!generic_driver) { /* Use default naming convention? */
3031                 err = build_generic_driver_name(algname, _generic_driver);
3032                 if (err)
3033                         return err;
3034                 generic_driver = _generic_driver;
3035         }
3036
3037         if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
3038                 return 0;
3039
3040         generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0);
3041         if (IS_ERR(generic_tfm)) {
3042                 err = PTR_ERR(generic_tfm);
3043                 if (err == -ENOENT) {
3044                         pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n",
3045                                 driver, generic_driver);
3046                         return 0;
3047                 }
3048                 pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n",
3049                        generic_driver, algname, err);
3050                 return err;
3051         }
3052
3053         cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
3054         if (!cfg) {
3055                 err = -ENOMEM;
3056                 goto out;
3057         }
3058
3059         generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL);
3060         if (!generic_req) {
3061                 err = -ENOMEM;
3062                 goto out;
3063         }
3064
3065         /* Check the algorithm properties for consistency. */
3066
3067         if (crypto_skcipher_min_keysize(tfm) !=
3068             crypto_skcipher_min_keysize(generic_tfm)) {
3069                 pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n",
3070                        driver, crypto_skcipher_min_keysize(tfm),
3071                        crypto_skcipher_min_keysize(generic_tfm));
3072                 err = -EINVAL;
3073                 goto out;
3074         }
3075
3076         if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) {
3077                 pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n",
3078                        driver, maxkeysize,
3079                        crypto_skcipher_max_keysize(generic_tfm));
3080                 err = -EINVAL;
3081                 goto out;
3082         }
3083
3084         if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
3085                 pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
3086                        driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
3087                 err = -EINVAL;
3088                 goto out;
3089         }
3090
3091         if (blocksize != crypto_skcipher_blocksize(generic_tfm)) {
3092                 pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n",
3093                        driver, blocksize,
3094                        crypto_skcipher_blocksize(generic_tfm));
3095                 err = -EINVAL;
3096                 goto out;
3097         }
3098
3099         /*
3100          * Now generate test vectors using the generic implementation, and test
3101          * the other implementation against them.
3102          */
3103
3104         vec.key = kmalloc(maxkeysize, GFP_KERNEL);
3105         vec.iv = kmalloc(ivsize, GFP_KERNEL);
3106         vec.ptext = kmalloc(maxdatasize, GFP_KERNEL);
3107         vec.ctext = kmalloc(maxdatasize, GFP_KERNEL);
3108         if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) {
3109                 err = -ENOMEM;
3110                 goto out;
3111         }
3112
3113         for (i = 0; i < fuzz_iterations * 8; i++) {
3114                 generate_random_cipher_testvec(generic_req, &vec, maxdatasize,
3115                                                vec_name, sizeof(vec_name));
3116                 generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
3117
3118                 err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name,
3119                                             cfg, req, tsgls);
3120                 if (err)
3121                         goto out;
3122                 err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name,
3123                                             cfg, req, tsgls);
3124                 if (err)
3125                         goto out;
3126                 cond_resched();
3127         }
3128         err = 0;
3129 out:
3130         kfree(cfg);
3131         kfree(vec.key);
3132         kfree(vec.iv);
3133         kfree(vec.ptext);
3134         kfree(vec.ctext);
3135         crypto_free_skcipher(generic_tfm);
3136         skcipher_request_free(generic_req);
3137         return err;
3138 }
3139 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3140 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3141                                          struct skcipher_request *req,
3142                                          struct cipher_test_sglists *tsgls)
3143 {
3144         return 0;
3145 }
3146 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3147
3148 static int test_skcipher(int enc, const struct cipher_test_suite *suite,
3149                          struct skcipher_request *req,
3150                          struct cipher_test_sglists *tsgls)
3151 {
3152         unsigned int i;
3153         int err;
3154
3155         for (i = 0; i < suite->count; i++) {
3156                 err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls);
3157                 if (err)
3158                         return err;
3159                 cond_resched();
3160         }
3161         return 0;
3162 }
3163
3164 static int alg_test_skcipher(const struct alg_test_desc *desc,
3165                              const char *driver, u32 type, u32 mask)
3166 {
3167         const struct cipher_test_suite *suite = &desc->suite.cipher;
3168         struct crypto_skcipher *tfm;
3169         struct skcipher_request *req = NULL;
3170         struct cipher_test_sglists *tsgls = NULL;
3171         int err;
3172
3173         if (suite->count <= 0) {
3174                 pr_err("alg: skcipher: empty test suite for %s\n", driver);
3175                 return -EINVAL;
3176         }
3177
3178         tfm = crypto_alloc_skcipher(driver, type, mask);
3179         if (IS_ERR(tfm)) {
3180                 pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n",
3181                        driver, PTR_ERR(tfm));
3182                 return PTR_ERR(tfm);
3183         }
3184         driver = crypto_skcipher_driver_name(tfm);
3185
3186         req = skcipher_request_alloc(tfm, GFP_KERNEL);
3187         if (!req) {
3188                 pr_err("alg: skcipher: failed to allocate request for %s\n",
3189                        driver);
3190                 err = -ENOMEM;
3191                 goto out;
3192         }
3193
3194         tsgls = alloc_cipher_test_sglists();
3195         if (!tsgls) {
3196                 pr_err("alg: skcipher: failed to allocate test buffers for %s\n",
3197                        driver);
3198                 err = -ENOMEM;
3199                 goto out;
3200         }
3201
3202         err = test_skcipher(ENCRYPT, suite, req, tsgls);
3203         if (err)
3204                 goto out;
3205
3206         err = test_skcipher(DECRYPT, suite, req, tsgls);
3207         if (err)
3208                 goto out;
3209
3210         err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls);
3211 out:
3212         free_cipher_test_sglists(tsgls);
3213         skcipher_request_free(req);
3214         crypto_free_skcipher(tfm);
3215         return err;
3216 }
3217
3218 static int test_comp(struct crypto_comp *tfm,
3219                      const struct comp_testvec *ctemplate,
3220                      const struct comp_testvec *dtemplate,
3221                      int ctcount, int dtcount)
3222 {
3223         const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
3224         char *output, *decomp_output;
3225         unsigned int i;
3226         int ret;
3227
3228         output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3229         if (!output)
3230                 return -ENOMEM;
3231
3232         decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3233         if (!decomp_output) {
3234                 kfree(output);
3235                 return -ENOMEM;
3236         }
3237
3238         for (i = 0; i < ctcount; i++) {
3239                 int ilen;
3240                 unsigned int dlen = COMP_BUF_SIZE;
3241
3242                 memset(output, 0, COMP_BUF_SIZE);
3243                 memset(decomp_output, 0, COMP_BUF_SIZE);
3244
3245                 ilen = ctemplate[i].inlen;
3246                 ret = crypto_comp_compress(tfm, ctemplate[i].input,
3247                                            ilen, output, &dlen);
3248                 if (ret) {
3249                         printk(KERN_ERR "alg: comp: compression failed "
3250                                "on test %d for %s: ret=%d\n", i + 1, algo,
3251                                -ret);
3252                         goto out;
3253                 }
3254
3255                 ilen = dlen;
3256                 dlen = COMP_BUF_SIZE;
3257                 ret = crypto_comp_decompress(tfm, output,
3258                                              ilen, decomp_output, &dlen);
3259                 if (ret) {
3260                         pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n",
3261                                i + 1, algo, -ret);
3262                         goto out;
3263                 }
3264
3265                 if (dlen != ctemplate[i].inlen) {
3266                         printk(KERN_ERR "alg: comp: Compression test %d "
3267                                "failed for %s: output len = %d\n", i + 1, algo,
3268                                dlen);
3269                         ret = -EINVAL;
3270                         goto out;
3271                 }
3272
3273                 if (memcmp(decomp_output, ctemplate[i].input,
3274                            ctemplate[i].inlen)) {
3275                         pr_err("alg: comp: compression failed: output differs: on test %d for %s\n",
3276                                i + 1, algo);
3277                         hexdump(decomp_output, dlen);
3278                         ret = -EINVAL;
3279                         goto out;
3280                 }
3281         }
3282
3283         for (i = 0; i < dtcount; i++) {
3284                 int ilen;
3285                 unsigned int dlen = COMP_BUF_SIZE;
3286
3287                 memset(decomp_output, 0, COMP_BUF_SIZE);
3288
3289                 ilen = dtemplate[i].inlen;
3290                 ret = crypto_comp_decompress(tfm, dtemplate[i].input,
3291                                              ilen, decomp_output, &dlen);
3292                 if (ret) {
3293                         printk(KERN_ERR "alg: comp: decompression failed "
3294                                "on test %d for %s: ret=%d\n", i + 1, algo,
3295                                -ret);
3296                         goto out;
3297                 }
3298
3299                 if (dlen != dtemplate[i].outlen) {
3300                         printk(KERN_ERR "alg: comp: Decompression test %d "
3301                                "failed for %s: output len = %d\n", i + 1, algo,
3302                                dlen);
3303                         ret = -EINVAL;
3304                         goto out;
3305                 }
3306
3307                 if (memcmp(decomp_output, dtemplate[i].output, dlen)) {
3308                         printk(KERN_ERR "alg: comp: Decompression test %d "
3309                                "failed for %s\n", i + 1, algo);
3310                         hexdump(decomp_output, dlen);
3311                         ret = -EINVAL;
3312                         goto out;
3313                 }
3314         }
3315
3316         ret = 0;
3317
3318 out:
3319         kfree(decomp_output);
3320         kfree(output);
3321         return ret;
3322 }
3323
3324 static int test_acomp(struct crypto_acomp *tfm,
3325                       const struct comp_testvec *ctemplate,
3326                       const struct comp_testvec *dtemplate,
3327                       int ctcount, int dtcount)
3328 {
3329         const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm));
3330         unsigned int i;
3331         char *output, *decomp_out;
3332         int ret;
3333         struct scatterlist src, dst;
3334         struct acomp_req *req;
3335         struct crypto_wait wait;
3336
3337         output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3338         if (!output)
3339                 return -ENOMEM;
3340
3341         decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3342         if (!decomp_out) {
3343                 kfree(output);
3344                 return -ENOMEM;
3345         }
3346
3347         for (i = 0; i < ctcount; i++) {
3348                 unsigned int dlen = COMP_BUF_SIZE;
3349                 int ilen = ctemplate[i].inlen;
3350                 void *input_vec;
3351
3352                 input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL);
3353                 if (!input_vec) {
3354                         ret = -ENOMEM;
3355                         goto out;
3356                 }
3357
3358                 memset(output, 0, dlen);
3359                 crypto_init_wait(&wait);
3360                 sg_init_one(&src, input_vec, ilen);
3361                 sg_init_one(&dst, output, dlen);
3362
3363                 req = acomp_request_alloc(tfm);
3364                 if (!req) {
3365                         pr_err("alg: acomp: request alloc failed for %s\n",
3366                                algo);
3367                         kfree(input_vec);
3368                         ret = -ENOMEM;
3369                         goto out;
3370                 }
3371
3372                 acomp_request_set_params(req, &src, &dst, ilen, dlen);
3373                 acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3374                                            crypto_req_done, &wait);
3375
3376                 ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3377                 if (ret) {
3378                         pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3379                                i + 1, algo, -ret);
3380                         kfree(input_vec);
3381                         acomp_request_free(req);
3382                         goto out;
3383                 }
3384
3385                 ilen = req->dlen;
3386                 dlen = COMP_BUF_SIZE;
3387                 sg_init_one(&src, output, ilen);
3388                 sg_init_one(&dst, decomp_out, dlen);
3389                 crypto_init_wait(&wait);
3390                 acomp_request_set_params(req, &src, &dst, ilen, dlen);
3391
3392                 ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3393                 if (ret) {
3394                         pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3395                                i + 1, algo, -ret);
3396                         kfree(input_vec);
3397                         acomp_request_free(req);
3398                         goto out;
3399                 }
3400
3401                 if (req->dlen != ctemplate[i].inlen) {
3402                         pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n",
3403                                i + 1, algo, req->dlen);
3404                         ret = -EINVAL;
3405                         kfree(input_vec);
3406                         acomp_request_free(req);
3407                         goto out;
3408                 }
3409
3410                 if (memcmp(input_vec, decomp_out, req->dlen)) {
3411                         pr_err("alg: acomp: Compression test %d failed for %s\n",
3412                                i + 1, algo);
3413                         hexdump(output, req->dlen);
3414                         ret = -EINVAL;
3415                         kfree(input_vec);
3416                         acomp_request_free(req);
3417                         goto out;
3418                 }
3419
3420 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3421                 crypto_init_wait(&wait);
3422                 sg_init_one(&src, input_vec, ilen);
3423                 acomp_request_set_params(req, &src, NULL, ilen, 0);
3424
3425                 ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3426                 if (ret) {
3427                         pr_err("alg: acomp: compression failed on NULL dst buffer test %d for %s: ret=%d\n",
3428                                i + 1, algo, -ret);
3429                         kfree(input_vec);
3430                         acomp_request_free(req);
3431                         goto out;
3432                 }
3433 #endif
3434
3435                 kfree(input_vec);
3436                 acomp_request_free(req);
3437         }
3438
3439         for (i = 0; i < dtcount; i++) {
3440                 unsigned int dlen = COMP_BUF_SIZE;
3441                 int ilen = dtemplate[i].inlen;
3442                 void *input_vec;
3443
3444                 input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL);
3445                 if (!input_vec) {
3446                         ret = -ENOMEM;
3447                         goto out;
3448                 }
3449
3450                 memset(output, 0, dlen);
3451                 crypto_init_wait(&wait);
3452                 sg_init_one(&src, input_vec, ilen);
3453                 sg_init_one(&dst, output, dlen);
3454
3455                 req = acomp_request_alloc(tfm);
3456                 if (!req) {
3457                         pr_err("alg: acomp: request alloc failed for %s\n",
3458                                algo);
3459                         kfree(input_vec);
3460                         ret = -ENOMEM;
3461                         goto out;
3462                 }
3463
3464                 acomp_request_set_params(req, &src, &dst, ilen, dlen);
3465                 acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3466                                            crypto_req_done, &wait);
3467
3468                 ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3469                 if (ret) {
3470                         pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n",
3471                                i + 1, algo, -ret);
3472                         kfree(input_vec);
3473                         acomp_request_free(req);
3474                         goto out;
3475                 }
3476
3477                 if (req->dlen != dtemplate[i].outlen) {
3478                         pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n",
3479                                i + 1, algo, req->dlen);
3480                         ret = -EINVAL;
3481                         kfree(input_vec);
3482                         acomp_request_free(req);
3483                         goto out;
3484                 }
3485
3486                 if (memcmp(output, dtemplate[i].output, req->dlen)) {
3487                         pr_err("alg: acomp: Decompression test %d failed for %s\n",
3488                                i + 1, algo);
3489                         hexdump(output, req->dlen);
3490                         ret = -EINVAL;
3491                         kfree(input_vec);
3492                         acomp_request_free(req);
3493                         goto out;
3494                 }
3495
3496 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3497                 crypto_init_wait(&wait);
3498                 acomp_request_set_params(req, &src, NULL, ilen, 0);
3499
3500                 ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3501                 if (ret) {
3502                         pr_err("alg: acomp: decompression failed on NULL dst buffer test %d for %s: ret=%d\n",
3503                                i + 1, algo, -ret);
3504                         kfree(input_vec);
3505                         acomp_request_free(req);
3506                         goto out;
3507                 }
3508 #endif
3509
3510                 kfree(input_vec);
3511                 acomp_request_free(req);
3512         }
3513
3514         ret = 0;
3515
3516 out:
3517         kfree(decomp_out);
3518         kfree(output);
3519         return ret;
3520 }
3521
3522 static int test_cprng(struct crypto_rng *tfm,
3523                       const struct cprng_testvec *template,
3524                       unsigned int tcount)
3525 {
3526         const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
3527         int err = 0, i, j, seedsize;
3528         u8 *seed;
3529         char result[32];
3530
3531         seedsize = crypto_rng_seedsize(tfm);
3532
3533         seed = kmalloc(seedsize, GFP_KERNEL);
3534         if (!seed) {
3535                 printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
3536                        "for %s\n", algo);
3537                 return -ENOMEM;
3538         }
3539
3540         for (i = 0; i < tcount; i++) {
3541                 memset(result, 0, 32);
3542
3543                 memcpy(seed, template[i].v, template[i].vlen);
3544                 memcpy(seed + template[i].vlen, template[i].key,
3545                        template[i].klen);
3546                 memcpy(seed + template[i].vlen + template[i].klen,
3547                        template[i].dt, template[i].dtlen);
3548
3549                 err = crypto_rng_reset(tfm, seed, seedsize);
3550                 if (err) {
3551                         printk(KERN_ERR "alg: cprng: Failed to reset rng "
3552                                "for %s\n", algo);
3553                         goto out;
3554                 }
3555
3556                 for (j = 0; j < template[i].loops; j++) {
3557                         err = crypto_rng_get_bytes(tfm, result,
3558                                                    template[i].rlen);
3559                         if (err < 0) {
3560                                 printk(KERN_ERR "alg: cprng: Failed to obtain "
3561                                        "the correct amount of random data for "
3562                                        "%s (requested %d)\n", algo,
3563                                        template[i].rlen);
3564                                 goto out;
3565                         }
3566                 }
3567
3568                 err = memcmp(result, template[i].result,
3569                              template[i].rlen);
3570                 if (err) {
3571                         printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
3572                                i, algo);
3573                         hexdump(result, template[i].rlen);
3574                         err = -EINVAL;
3575                         goto out;
3576                 }
3577         }
3578
3579 out:
3580         kfree(seed);
3581         return err;
3582 }
3583
3584 static int alg_test_cipher(const struct alg_test_desc *desc,
3585                            const char *driver, u32 type, u32 mask)
3586 {
3587         const struct cipher_test_suite *suite = &desc->suite.cipher;
3588         struct crypto_cipher *tfm;
3589         int err;
3590
3591         tfm = crypto_alloc_cipher(driver, type, mask);
3592         if (IS_ERR(tfm)) {
3593                 printk(KERN_ERR "alg: cipher: Failed to load transform for "
3594                        "%s: %ld\n", driver, PTR_ERR(tfm));
3595                 return PTR_ERR(tfm);
3596         }
3597
3598         err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count);
3599         if (!err)
3600                 err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count);
3601
3602         crypto_free_cipher(tfm);
3603         return err;
3604 }
3605
3606 static int alg_test_comp(const struct alg_test_desc *desc, const char *driver,
3607                          u32 type, u32 mask)
3608 {
3609         struct crypto_comp *comp;
3610         struct crypto_acomp *acomp;
3611         int err;
3612         u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK;
3613
3614         if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) {
3615                 acomp = crypto_alloc_acomp(driver, type, mask);
3616                 if (IS_ERR(acomp)) {
3617                         pr_err("alg: acomp: Failed to load transform for %s: %ld\n",
3618                                driver, PTR_ERR(acomp));
3619                         return PTR_ERR(acomp);
3620                 }
3621                 err = test_acomp(acomp, desc->suite.comp.comp.vecs,
3622                                  desc->suite.comp.decomp.vecs,
3623                                  desc->suite.comp.comp.count,
3624                                  desc->suite.comp.decomp.count);
3625                 crypto_free_acomp(acomp);
3626         } else {
3627                 comp = crypto_alloc_comp(driver, type, mask);
3628                 if (IS_ERR(comp)) {
3629                         pr_err("alg: comp: Failed to load transform for %s: %ld\n",
3630                                driver, PTR_ERR(comp));
3631                         return PTR_ERR(comp);
3632                 }
3633
3634                 err = test_comp(comp, desc->suite.comp.comp.vecs,
3635                                 desc->suite.comp.decomp.vecs,
3636                                 desc->suite.comp.comp.count,
3637                                 desc->suite.comp.decomp.count);
3638
3639                 crypto_free_comp(comp);
3640         }
3641         return err;
3642 }
3643
3644 static int alg_test_crc32c(const struct alg_test_desc *desc,
3645                            const char *driver, u32 type, u32 mask)
3646 {
3647         struct crypto_shash *tfm;
3648         __le32 val;
3649         int err;
3650
3651         err = alg_test_hash(desc, driver, type, mask);
3652         if (err)
3653                 return err;
3654
3655         tfm = crypto_alloc_shash(driver, type, mask);
3656         if (IS_ERR(tfm)) {
3657                 if (PTR_ERR(tfm) == -ENOENT) {
3658                         /*
3659                          * This crc32c implementation is only available through
3660                          * ahash API, not the shash API, so the remaining part
3661                          * of the test is not applicable to it.
3662                          */
3663                         return 0;
3664                 }
3665                 printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
3666                        "%ld\n", driver, PTR_ERR(tfm));
3667                 return PTR_ERR(tfm);
3668         }
3669         driver = crypto_shash_driver_name(tfm);
3670
3671         do {
3672                 SHASH_DESC_ON_STACK(shash, tfm);
3673                 u32 *ctx = (u32 *)shash_desc_ctx(shash);
3674
3675                 shash->tfm = tfm;
3676
3677                 *ctx = 420553207;
3678                 err = crypto_shash_final(shash, (u8 *)&val);
3679                 if (err) {
3680                         printk(KERN_ERR "alg: crc32c: Operation failed for "
3681                                "%s: %d\n", driver, err);
3682                         break;
3683                 }
3684
3685                 if (val != cpu_to_le32(~420553207)) {
3686                         pr_err("alg: crc32c: Test failed for %s: %u\n",
3687                                driver, le32_to_cpu(val));
3688                         err = -EINVAL;
3689                 }
3690         } while (0);
3691
3692         crypto_free_shash(tfm);
3693
3694         return err;
3695 }
3696
3697 static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
3698                           u32 type, u32 mask)
3699 {
3700         struct crypto_rng *rng;
3701         int err;
3702
3703         rng = crypto_alloc_rng(driver, type, mask);
3704         if (IS_ERR(rng)) {
3705                 printk(KERN_ERR "alg: cprng: Failed to load transform for %s: "
3706                        "%ld\n", driver, PTR_ERR(rng));
3707                 return PTR_ERR(rng);
3708         }
3709
3710         err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count);
3711
3712         crypto_free_rng(rng);
3713
3714         return err;
3715 }
3716
3717
3718 static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
3719                           const char *driver, u32 type, u32 mask)
3720 {
3721         int ret = -EAGAIN;
3722         struct crypto_rng *drng;
3723         struct drbg_test_data test_data;
3724         struct drbg_string addtl, pers, testentropy;
3725         unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);
3726
3727         if (!buf)
3728                 return -ENOMEM;
3729
3730         drng = crypto_alloc_rng(driver, type, mask);
3731         if (IS_ERR(drng)) {
3732                 printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
3733                        "%s\n", driver);
3734                 kfree_sensitive(buf);
3735                 return -ENOMEM;
3736         }
3737
3738         test_data.testentropy = &testentropy;
3739         drbg_string_fill(&testentropy, test->entropy, test->entropylen);
3740         drbg_string_fill(&pers, test->pers, test->perslen);
3741         ret = crypto_drbg_reset_test(drng, &pers, &test_data);
3742         if (ret) {
3743                 printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
3744                 goto outbuf;
3745         }
3746
3747         drbg_string_fill(&addtl, test->addtla, test->addtllen);
3748         if (pr) {
3749                 drbg_string_fill(&testentropy, test->entpra, test->entprlen);
3750                 ret = crypto_drbg_get_bytes_addtl_test(drng,
3751                         buf, test->expectedlen, &addtl, &test_data);
3752         } else {
3753                 ret = crypto_drbg_get_bytes_addtl(drng,
3754                         buf, test->expectedlen, &addtl);
3755         }
3756         if (ret < 0) {
3757                 printk(KERN_ERR "alg: drbg: could not obtain random data for "
3758                        "driver %s\n", driver);
3759                 goto outbuf;
3760         }
3761
3762         drbg_string_fill(&addtl, test->addtlb, test->addtllen);
3763         if (pr) {
3764                 drbg_string_fill(&testentropy, test->entprb, test->entprlen);
3765                 ret = crypto_drbg_get_bytes_addtl_test(drng,
3766                         buf, test->expectedlen, &addtl, &test_data);
3767         } else {
3768                 ret = crypto_drbg_get_bytes_addtl(drng,
3769                         buf, test->expectedlen, &addtl);
3770         }
3771         if (ret < 0) {
3772                 printk(KERN_ERR "alg: drbg: could not obtain random data for "
3773                        "driver %s\n", driver);
3774                 goto outbuf;
3775         }
3776
3777         ret = memcmp(test->expected, buf, test->expectedlen);
3778
3779 outbuf:
3780         crypto_free_rng(drng);
3781         kfree_sensitive(buf);
3782         return ret;
3783 }
3784
3785
3786 static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
3787                          u32 type, u32 mask)
3788 {
3789         int err = 0;
3790         int pr = 0;
3791         int i = 0;
3792         const struct drbg_testvec *template = desc->suite.drbg.vecs;
3793         unsigned int tcount = desc->suite.drbg.count;
3794
3795         if (0 == memcmp(driver, "drbg_pr_", 8))
3796                 pr = 1;
3797
3798         for (i = 0; i < tcount; i++) {
3799                 err = drbg_cavs_test(&template[i], pr, driver, type, mask);
3800                 if (err) {
3801                         printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
3802                                i, driver);
3803                         err = -EINVAL;
3804                         break;
3805                 }
3806         }
3807         return err;
3808
3809 }
3810
3811 static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec,
3812                        const char *alg)
3813 {
3814         struct kpp_request *req;
3815         void *input_buf = NULL;
3816         void *output_buf = NULL;
3817         void *a_public = NULL;
3818         void *a_ss = NULL;
3819         void *shared_secret = NULL;
3820         struct crypto_wait wait;
3821         unsigned int out_len_max;
3822         int err = -ENOMEM;
3823         struct scatterlist src, dst;
3824
3825         req = kpp_request_alloc(tfm, GFP_KERNEL);
3826         if (!req)
3827                 return err;
3828
3829         crypto_init_wait(&wait);
3830
3831         err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size);
3832         if (err < 0)
3833                 goto free_req;
3834
3835         out_len_max = crypto_kpp_maxsize(tfm);
3836         output_buf = kzalloc(out_len_max, GFP_KERNEL);
3837         if (!output_buf) {
3838                 err = -ENOMEM;
3839                 goto free_req;
3840         }
3841
3842         /* Use appropriate parameter as base */
3843         kpp_request_set_input(req, NULL, 0);
3844         sg_init_one(&dst, output_buf, out_len_max);
3845         kpp_request_set_output(req, &dst, out_len_max);
3846         kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3847                                  crypto_req_done, &wait);
3848
3849         /* Compute party A's public key */
3850         err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
3851         if (err) {
3852                 pr_err("alg: %s: Party A: generate public key test failed. err %d\n",
3853                        alg, err);
3854                 goto free_output;
3855         }
3856
3857         if (vec->genkey) {
3858                 /* Save party A's public key */
3859                 a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL);
3860                 if (!a_public) {
3861                         err = -ENOMEM;
3862                         goto free_output;
3863                 }
3864         } else {
3865                 /* Verify calculated public key */
3866                 if (memcmp(vec->expected_a_public, sg_virt(req->dst),
3867                            vec->expected_a_public_size)) {
3868                         pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n",
3869                                alg);
3870                         err = -EINVAL;
3871                         goto free_output;
3872                 }
3873         }
3874
3875         /* Calculate shared secret key by using counter part (b) public key. */
3876         input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL);
3877         if (!input_buf) {
3878                 err = -ENOMEM;
3879                 goto free_output;
3880         }
3881
3882         sg_init_one(&src, input_buf, vec->b_public_size);
3883         sg_init_one(&dst, output_buf, out_len_max);
3884         kpp_request_set_input(req, &src, vec->b_public_size);
3885         kpp_request_set_output(req, &dst, out_len_max);
3886         kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3887                                  crypto_req_done, &wait);
3888         err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
3889         if (err) {
3890                 pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n",
3891                        alg, err);
3892                 goto free_all;
3893         }
3894
3895         if (vec->genkey) {
3896                 /* Save the shared secret obtained by party A */
3897                 a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL);
3898                 if (!a_ss) {
3899                         err = -ENOMEM;
3900                         goto free_all;
3901                 }
3902
3903                 /*
3904                  * Calculate party B's shared secret by using party A's
3905                  * public key.
3906                  */
3907                 err = crypto_kpp_set_secret(tfm, vec->b_secret,
3908                                             vec->b_secret_size);
3909                 if (err < 0)
3910                         goto free_all;
3911
3912                 sg_init_one(&src, a_public, vec->expected_a_public_size);
3913                 sg_init_one(&dst, output_buf, out_len_max);
3914                 kpp_request_set_input(req, &src, vec->expected_a_public_size);
3915                 kpp_request_set_output(req, &dst, out_len_max);
3916                 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3917                                          crypto_req_done, &wait);
3918                 err = crypto_wait_req(crypto_kpp_compute_shared_secret(req),
3919                                       &wait);
3920                 if (err) {
3921                         pr_err("alg: %s: Party B: compute shared secret failed. err %d\n",
3922                                alg, err);
3923                         goto free_all;
3924                 }
3925
3926                 shared_secret = a_ss;
3927         } else {
3928                 shared_secret = (void *)vec->expected_ss;
3929         }
3930
3931         /*
3932          * verify shared secret from which the user will derive
3933          * secret key by executing whatever hash it has chosen
3934          */
3935         if (memcmp(shared_secret, sg_virt(req->dst),
3936                    vec->expected_ss_size)) {
3937                 pr_err("alg: %s: compute shared secret test failed. Invalid output\n",
3938                        alg);
3939                 err = -EINVAL;
3940         }
3941
3942 free_all:
3943         kfree(a_ss);
3944         kfree(input_buf);
3945 free_output:
3946         kfree(a_public);
3947         kfree(output_buf);
3948 free_req:
3949         kpp_request_free(req);
3950         return err;
3951 }
3952
3953 static int test_kpp(struct crypto_kpp *tfm, const char *alg,
3954                     const struct kpp_testvec *vecs, unsigned int tcount)
3955 {
3956         int ret, i;
3957
3958         for (i = 0; i < tcount; i++) {
3959                 ret = do_test_kpp(tfm, vecs++, alg);
3960                 if (ret) {
3961                         pr_err("alg: %s: test failed on vector %d, err=%d\n",
3962                                alg, i + 1, ret);
3963                         return ret;
3964                 }
3965         }
3966         return 0;
3967 }
3968
3969 static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver,
3970                         u32 type, u32 mask)
3971 {
3972         struct crypto_kpp *tfm;
3973         int err = 0;
3974
3975         tfm = crypto_alloc_kpp(driver, type, mask);
3976         if (IS_ERR(tfm)) {
3977                 pr_err("alg: kpp: Failed to load tfm for %s: %ld\n",
3978                        driver, PTR_ERR(tfm));
3979                 return PTR_ERR(tfm);
3980         }
3981         if (desc->suite.kpp.vecs)
3982                 err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs,
3983                                desc->suite.kpp.count);
3984
3985         crypto_free_kpp(tfm);
3986         return err;
3987 }
3988
3989 static u8 *test_pack_u32(u8 *dst, u32 val)
3990 {
3991         memcpy(dst, &val, sizeof(val));
3992         return dst + sizeof(val);
3993 }
3994
3995 static int test_akcipher_one(struct crypto_akcipher *tfm,
3996                              const struct akcipher_testvec *vecs)
3997 {
3998         char *xbuf[XBUFSIZE];
3999         struct akcipher_request *req;
4000         void *outbuf_enc = NULL;
4001         void *outbuf_dec = NULL;
4002         struct crypto_wait wait;
4003         unsigned int out_len_max, out_len = 0;
4004         int err = -ENOMEM;
4005         struct scatterlist src, dst, src_tab[3];
4006         const char *m, *c;
4007         unsigned int m_size, c_size;
4008         const char *op;
4009         u8 *key, *ptr;
4010
4011         if (testmgr_alloc_buf(xbuf))
4012                 return err;
4013
4014         req = akcipher_request_alloc(tfm, GFP_KERNEL);
4015         if (!req)
4016                 goto free_xbuf;
4017
4018         crypto_init_wait(&wait);
4019
4020         key = kmalloc(vecs->key_len + sizeof(u32) * 2 + vecs->param_len,
4021                       GFP_KERNEL);
4022         if (!key)
4023                 goto free_req;
4024         memcpy(key, vecs->key, vecs->key_len);
4025         ptr = key + vecs->key_len;
4026         ptr = test_pack_u32(ptr, vecs->algo);
4027         ptr = test_pack_u32(ptr, vecs->param_len);
4028         memcpy(ptr, vecs->params, vecs->param_len);
4029
4030         if (vecs->public_key_vec)
4031                 err = crypto_akcipher_set_pub_key(tfm, key, vecs->key_len);
4032         else
4033                 err = crypto_akcipher_set_priv_key(tfm, key, vecs->key_len);
4034         if (err)
4035                 goto free_key;
4036
4037         /*
4038          * First run test which do not require a private key, such as
4039          * encrypt or verify.
4040          */
4041         err = -ENOMEM;
4042         out_len_max = crypto_akcipher_maxsize(tfm);
4043         outbuf_enc = kzalloc(out_len_max, GFP_KERNEL);
4044         if (!outbuf_enc)
4045                 goto free_key;
4046
4047         if (!vecs->siggen_sigver_test) {
4048                 m = vecs->m;
4049                 m_size = vecs->m_size;
4050                 c = vecs->c;
4051                 c_size = vecs->c_size;
4052                 op = "encrypt";
4053         } else {
4054                 /* Swap args so we could keep plaintext (digest)
4055                  * in vecs->m, and cooked signature in vecs->c.
4056                  */
4057                 m = vecs->c; /* signature */
4058                 m_size = vecs->c_size;
4059                 c = vecs->m; /* digest */
4060                 c_size = vecs->m_size;
4061                 op = "verify";
4062         }
4063
4064         err = -E2BIG;
4065         if (WARN_ON(m_size > PAGE_SIZE))
4066                 goto free_all;
4067         memcpy(xbuf[0], m, m_size);
4068
4069         sg_init_table(src_tab, 3);
4070         sg_set_buf(&src_tab[0], xbuf[0], 8);
4071         sg_set_buf(&src_tab[1], xbuf[0] + 8, m_size - 8);
4072         if (vecs->siggen_sigver_test) {
4073                 if (WARN_ON(c_size > PAGE_SIZE))
4074                         goto free_all;
4075                 memcpy(xbuf[1], c, c_size);
4076                 sg_set_buf(&src_tab[2], xbuf[1], c_size);
4077                 akcipher_request_set_crypt(req, src_tab, NULL, m_size, c_size);
4078         } else {
4079                 sg_init_one(&dst, outbuf_enc, out_len_max);
4080                 akcipher_request_set_crypt(req, src_tab, &dst, m_size,
4081                                            out_len_max);
4082         }
4083         akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4084                                       crypto_req_done, &wait);
4085
4086         err = crypto_wait_req(vecs->siggen_sigver_test ?
4087                               /* Run asymmetric signature verification */
4088                               crypto_akcipher_verify(req) :
4089                               /* Run asymmetric encrypt */
4090                               crypto_akcipher_encrypt(req), &wait);
4091         if (err) {
4092                 pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4093                 goto free_all;
4094         }
4095         if (!vecs->siggen_sigver_test && c) {
4096                 if (req->dst_len != c_size) {
4097                         pr_err("alg: akcipher: %s test failed. Invalid output len\n",
4098                                op);
4099                         err = -EINVAL;
4100                         goto free_all;
4101                 }
4102                 /* verify that encrypted message is equal to expected */
4103                 if (memcmp(c, outbuf_enc, c_size) != 0) {
4104                         pr_err("alg: akcipher: %s test failed. Invalid output\n",
4105                                op);
4106                         hexdump(outbuf_enc, c_size);
4107                         err = -EINVAL;
4108                         goto free_all;
4109                 }
4110         }
4111
4112         /*
4113          * Don't invoke (decrypt or sign) test which require a private key
4114          * for vectors with only a public key.
4115          */
4116         if (vecs->public_key_vec) {
4117                 err = 0;
4118                 goto free_all;
4119         }
4120         outbuf_dec = kzalloc(out_len_max, GFP_KERNEL);
4121         if (!outbuf_dec) {
4122                 err = -ENOMEM;
4123                 goto free_all;
4124         }
4125
4126         if (!vecs->siggen_sigver_test && !c) {
4127                 c = outbuf_enc;
4128                 c_size = req->dst_len;
4129         }
4130
4131         err = -E2BIG;
4132         op = vecs->siggen_sigver_test ? "sign" : "decrypt";
4133         if (WARN_ON(c_size > PAGE_SIZE))
4134                 goto free_all;
4135         memcpy(xbuf[0], c, c_size);
4136
4137         sg_init_one(&src, xbuf[0], c_size);
4138         sg_init_one(&dst, outbuf_dec, out_len_max);
4139         crypto_init_wait(&wait);
4140         akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max);
4141
4142         err = crypto_wait_req(vecs->siggen_sigver_test ?
4143                               /* Run asymmetric signature generation */
4144                               crypto_akcipher_sign(req) :
4145                               /* Run asymmetric decrypt */
4146                               crypto_akcipher_decrypt(req), &wait);
4147         if (err) {
4148                 pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4149                 goto free_all;
4150         }
4151         out_len = req->dst_len;
4152         if (out_len < m_size) {
4153                 pr_err("alg: akcipher: %s test failed. Invalid output len %u\n",
4154                        op, out_len);
4155                 err = -EINVAL;
4156                 goto free_all;
4157         }
4158         /* verify that decrypted message is equal to the original msg */
4159         if (memchr_inv(outbuf_dec, 0, out_len - m_size) ||
4160             memcmp(m, outbuf_dec + out_len - m_size, m_size)) {
4161                 pr_err("alg: akcipher: %s test failed. Invalid output\n", op);
4162                 hexdump(outbuf_dec, out_len);
4163                 err = -EINVAL;
4164         }
4165 free_all:
4166         kfree(outbuf_dec);
4167         kfree(outbuf_enc);
4168 free_key:
4169         kfree(key);
4170 free_req:
4171         akcipher_request_free(req);
4172 free_xbuf:
4173         testmgr_free_buf(xbuf);
4174         return err;
4175 }
4176
4177 static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
4178                          const struct akcipher_testvec *vecs,
4179                          unsigned int tcount)
4180 {
4181         const char *algo =
4182                 crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm));
4183         int ret, i;
4184
4185         for (i = 0; i < tcount; i++) {
4186                 ret = test_akcipher_one(tfm, vecs++);
4187                 if (!ret)
4188                         continue;
4189
4190                 pr_err("alg: akcipher: test %d failed for %s, err=%d\n",
4191                        i + 1, algo, ret);
4192                 return ret;
4193         }
4194         return 0;
4195 }
4196
4197 static int alg_test_akcipher(const struct alg_test_desc *desc,
4198                              const char *driver, u32 type, u32 mask)
4199 {
4200         struct crypto_akcipher *tfm;
4201         int err = 0;
4202
4203         tfm = crypto_alloc_akcipher(driver, type, mask);
4204         if (IS_ERR(tfm)) {
4205                 pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n",
4206                        driver, PTR_ERR(tfm));
4207                 return PTR_ERR(tfm);
4208         }
4209         if (desc->suite.akcipher.vecs)
4210                 err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
4211                                     desc->suite.akcipher.count);
4212
4213         crypto_free_akcipher(tfm);
4214         return err;
4215 }
4216
4217 static int alg_test_null(const struct alg_test_desc *desc,
4218                              const char *driver, u32 type, u32 mask)
4219 {
4220         return 0;
4221 }
4222
4223 #define ____VECS(tv)    .vecs = tv, .count = ARRAY_SIZE(tv)
4224 #define __VECS(tv)      { ____VECS(tv) }
4225
4226 /* Please keep this list sorted by algorithm name. */
4227 static const struct alg_test_desc alg_test_descs[] = {
4228         {
4229                 .alg = "adiantum(xchacha12,aes)",
4230                 .generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)",
4231                 .test = alg_test_skcipher,
4232                 .suite = {
4233                         .cipher = __VECS(adiantum_xchacha12_aes_tv_template)
4234                 },
4235         }, {
4236                 .alg = "adiantum(xchacha20,aes)",
4237                 .generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)",
4238                 .test = alg_test_skcipher,
4239                 .suite = {
4240                         .cipher = __VECS(adiantum_xchacha20_aes_tv_template)
4241                 },
4242         }, {
4243                 .alg = "aegis128",
4244                 .test = alg_test_aead,
4245                 .suite = {
4246                         .aead = __VECS(aegis128_tv_template)
4247                 }
4248         }, {
4249                 .alg = "ansi_cprng",
4250                 .test = alg_test_cprng,
4251                 .suite = {
4252                         .cprng = __VECS(ansi_cprng_aes_tv_template)
4253                 }
4254         }, {
4255                 .alg = "authenc(hmac(md5),ecb(cipher_null))",
4256                 .test = alg_test_aead,
4257                 .suite = {
4258                         .aead = __VECS(hmac_md5_ecb_cipher_null_tv_template)
4259                 }
4260         }, {
4261                 .alg = "authenc(hmac(sha1),cbc(aes))",
4262                 .test = alg_test_aead,
4263                 .fips_allowed = 1,
4264                 .suite = {
4265                         .aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
4266                 }
4267         }, {
4268                 .alg = "authenc(hmac(sha1),cbc(des))",
4269                 .test = alg_test_aead,
4270                 .suite = {
4271                         .aead = __VECS(hmac_sha1_des_cbc_tv_temp)
4272                 }
4273         }, {
4274                 .alg = "authenc(hmac(sha1),cbc(des3_ede))",
4275                 .test = alg_test_aead,
4276                 .suite = {
4277                         .aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp)
4278                 }
4279         }, {
4280                 .alg = "authenc(hmac(sha1),ctr(aes))",
4281                 .test = alg_test_null,
4282                 .fips_allowed = 1,
4283         }, {
4284                 .alg = "authenc(hmac(sha1),ecb(cipher_null))",
4285                 .test = alg_test_aead,
4286                 .suite = {
4287                         .aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp)
4288                 }
4289         }, {
4290                 .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
4291                 .test = alg_test_null,
4292                 .fips_allowed = 1,
4293         }, {
4294                 .alg = "authenc(hmac(sha224),cbc(des))",
4295                 .test = alg_test_aead,
4296                 .suite = {
4297                         .aead = __VECS(hmac_sha224_des_cbc_tv_temp)
4298                 }
4299         }, {
4300                 .alg = "authenc(hmac(sha224),cbc(des3_ede))",
4301                 .test = alg_test_aead,
4302                 .suite = {
4303                         .aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp)
4304                 }
4305         }, {
4306                 .alg = "authenc(hmac(sha256),cbc(aes))",
4307                 .test = alg_test_aead,
4308                 .fips_allowed = 1,
4309                 .suite = {
4310                         .aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
4311                 }
4312         }, {
4313                 .alg = "authenc(hmac(sha256),cbc(des))",
4314                 .test = alg_test_aead,
4315                 .suite = {
4316                         .aead = __VECS(hmac_sha256_des_cbc_tv_temp)
4317                 }
4318         }, {
4319                 .alg = "authenc(hmac(sha256),cbc(des3_ede))",
4320                 .test = alg_test_aead,
4321                 .suite = {
4322                         .aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp)
4323                 }
4324         }, {
4325                 .alg = "authenc(hmac(sha256),ctr(aes))",
4326                 .test = alg_test_null,
4327                 .fips_allowed = 1,
4328         }, {
4329                 .alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
4330                 .test = alg_test_null,
4331                 .fips_allowed = 1,
4332         }, {
4333                 .alg = "authenc(hmac(sha384),cbc(des))",
4334                 .test = alg_test_aead,
4335                 .suite = {
4336                         .aead = __VECS(hmac_sha384_des_cbc_tv_temp)
4337                 }
4338         }, {
4339                 .alg = "authenc(hmac(sha384),cbc(des3_ede))",
4340                 .test = alg_test_aead,
4341                 .suite = {
4342                         .aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp)
4343                 }
4344         }, {
4345                 .alg = "authenc(hmac(sha384),ctr(aes))",
4346                 .test = alg_test_null,
4347                 .fips_allowed = 1,
4348         }, {
4349                 .alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
4350                 .test = alg_test_null,
4351                 .fips_allowed = 1,
4352         }, {
4353                 .alg = "authenc(hmac(sha512),cbc(aes))",
4354                 .fips_allowed = 1,
4355                 .test = alg_test_aead,
4356                 .suite = {
4357                         .aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
4358                 }
4359         }, {
4360                 .alg = "authenc(hmac(sha512),cbc(des))",
4361                 .test = alg_test_aead,
4362                 .suite = {
4363                         .aead = __VECS(hmac_sha512_des_cbc_tv_temp)
4364                 }
4365         }, {
4366                 .alg = "authenc(hmac(sha512),cbc(des3_ede))",
4367                 .test = alg_test_aead,
4368                 .suite = {
4369                         .aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp)
4370                 }
4371         }, {
4372                 .alg = "authenc(hmac(sha512),ctr(aes))",
4373                 .test = alg_test_null,
4374                 .fips_allowed = 1,
4375         }, {
4376                 .alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
4377                 .test = alg_test_null,
4378                 .fips_allowed = 1,
4379         }, {
4380                 .alg = "blake2b-160",
4381                 .test = alg_test_hash,
4382                 .fips_allowed = 0,
4383                 .suite = {
4384                         .hash = __VECS(blake2b_160_tv_template)
4385                 }
4386         }, {
4387                 .alg = "blake2b-256",
4388                 .test = alg_test_hash,
4389                 .fips_allowed = 0,
4390                 .suite = {
4391                         .hash = __VECS(blake2b_256_tv_template)
4392                 }
4393         }, {
4394                 .alg = "blake2b-384",
4395                 .test = alg_test_hash,
4396                 .fips_allowed = 0,
4397                 .suite = {
4398                         .hash = __VECS(blake2b_384_tv_template)
4399                 }
4400         }, {
4401                 .alg = "blake2b-512",
4402                 .test = alg_test_hash,
4403                 .fips_allowed = 0,
4404                 .suite = {
4405                         .hash = __VECS(blake2b_512_tv_template)
4406                 }
4407         }, {
4408                 .alg = "cbc(aes)",
4409                 .test = alg_test_skcipher,
4410                 .fips_allowed = 1,
4411                 .suite = {
4412                         .cipher = __VECS(aes_cbc_tv_template)
4413                 },
4414         }, {
4415                 .alg = "cbc(anubis)",
4416                 .test = alg_test_skcipher,
4417                 .suite = {
4418                         .cipher = __VECS(anubis_cbc_tv_template)
4419                 },
4420         }, {
4421                 .alg = "cbc(aria)",
4422                 .test = alg_test_skcipher,
4423                 .suite = {
4424                         .cipher = __VECS(aria_cbc_tv_template)
4425                 },
4426         }, {
4427                 .alg = "cbc(blowfish)",
4428                 .test = alg_test_skcipher,
4429                 .suite = {
4430                         .cipher = __VECS(bf_cbc_tv_template)
4431                 },
4432         }, {
4433                 .alg = "cbc(camellia)",
4434                 .test = alg_test_skcipher,
4435                 .suite = {
4436                         .cipher = __VECS(camellia_cbc_tv_template)
4437                 },
4438         }, {
4439                 .alg = "cbc(cast5)",
4440                 .test = alg_test_skcipher,
4441                 .suite = {
4442                         .cipher = __VECS(cast5_cbc_tv_template)
4443                 },
4444         }, {
4445                 .alg = "cbc(cast6)",
4446                 .test = alg_test_skcipher,
4447                 .suite = {
4448                         .cipher = __VECS(cast6_cbc_tv_template)
4449                 },
4450         }, {
4451                 .alg = "cbc(des)",
4452                 .test = alg_test_skcipher,
4453                 .suite = {
4454                         .cipher = __VECS(des_cbc_tv_template)
4455                 },
4456         }, {
4457                 .alg = "cbc(des3_ede)",
4458                 .test = alg_test_skcipher,
4459                 .suite = {
4460                         .cipher = __VECS(des3_ede_cbc_tv_template)
4461                 },
4462         }, {
4463                 /* Same as cbc(aes) except the key is stored in
4464                  * hardware secure memory which we reference by index
4465                  */
4466                 .alg = "cbc(paes)",
4467                 .test = alg_test_null,
4468                 .fips_allowed = 1,
4469         }, {
4470                 /* Same as cbc(sm4) except the key is stored in
4471                  * hardware secure memory which we reference by index
4472                  */
4473                 .alg = "cbc(psm4)",
4474                 .test = alg_test_null,
4475         }, {
4476                 .alg = "cbc(serpent)",
4477                 .test = alg_test_skcipher,
4478                 .suite = {
4479                         .cipher = __VECS(serpent_cbc_tv_template)
4480                 },
4481         }, {
4482                 .alg = "cbc(sm4)",
4483                 .test = alg_test_skcipher,
4484                 .suite = {
4485                         .cipher = __VECS(sm4_cbc_tv_template)
4486                 }
4487         }, {
4488                 .alg = "cbc(twofish)",
4489                 .test = alg_test_skcipher,
4490                 .suite = {
4491                         .cipher = __VECS(tf_cbc_tv_template)
4492                 },
4493         }, {
4494 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4495                 .alg = "cbc-paes-s390",
4496                 .fips_allowed = 1,
4497                 .test = alg_test_skcipher,
4498                 .suite = {
4499                         .cipher = __VECS(aes_cbc_tv_template)
4500                 }
4501         }, {
4502 #endif
4503                 .alg = "cbcmac(aes)",
4504                 .fips_allowed = 1,
4505                 .test = alg_test_hash,
4506                 .suite = {
4507                         .hash = __VECS(aes_cbcmac_tv_template)
4508                 }
4509         }, {
4510                 .alg = "cbcmac(sm4)",
4511                 .test = alg_test_hash,
4512                 .suite = {
4513                         .hash = __VECS(sm4_cbcmac_tv_template)
4514                 }
4515         }, {
4516                 .alg = "ccm(aes)",
4517                 .generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
4518                 .test = alg_test_aead,
4519                 .fips_allowed = 1,
4520                 .suite = {
4521                         .aead = {
4522                                 ____VECS(aes_ccm_tv_template),
4523                                 .einval_allowed = 1,
4524                         }
4525                 }
4526         }, {
4527                 .alg = "ccm(sm4)",
4528                 .generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))",
4529                 .test = alg_test_aead,
4530                 .suite = {
4531                         .aead = {
4532                                 ____VECS(sm4_ccm_tv_template),
4533                                 .einval_allowed = 1,
4534                         }
4535                 }
4536         }, {
4537                 .alg = "cfb(aes)",
4538                 .test = alg_test_skcipher,
4539                 .fips_allowed = 1,
4540                 .suite = {
4541                         .cipher = __VECS(aes_cfb_tv_template)
4542                 },
4543         }, {
4544                 .alg = "cfb(aria)",
4545                 .test = alg_test_skcipher,
4546                 .suite = {
4547                         .cipher = __VECS(aria_cfb_tv_template)
4548                 },
4549         }, {
4550                 .alg = "cfb(sm4)",
4551                 .test = alg_test_skcipher,
4552                 .suite = {
4553                         .cipher = __VECS(sm4_cfb_tv_template)
4554                 }
4555         }, {
4556                 .alg = "chacha20",
4557                 .test = alg_test_skcipher,
4558                 .suite = {
4559                         .cipher = __VECS(chacha20_tv_template)
4560                 },
4561         }, {
4562                 .alg = "cmac(aes)",
4563                 .fips_allowed = 1,
4564                 .test = alg_test_hash,
4565                 .suite = {
4566                         .hash = __VECS(aes_cmac128_tv_template)
4567                 }
4568         }, {
4569                 .alg = "cmac(des3_ede)",
4570                 .test = alg_test_hash,
4571                 .suite = {
4572                         .hash = __VECS(des3_ede_cmac64_tv_template)
4573                 }
4574         }, {
4575                 .alg = "cmac(sm4)",
4576                 .test = alg_test_hash,
4577                 .suite = {
4578                         .hash = __VECS(sm4_cmac128_tv_template)
4579                 }
4580         }, {
4581                 .alg = "compress_null",
4582                 .test = alg_test_null,
4583         }, {
4584                 .alg = "crc32",
4585                 .test = alg_test_hash,
4586                 .fips_allowed = 1,
4587                 .suite = {
4588                         .hash = __VECS(crc32_tv_template)
4589                 }
4590         }, {
4591                 .alg = "crc32c",
4592                 .test = alg_test_crc32c,
4593                 .fips_allowed = 1,
4594                 .suite = {
4595                         .hash = __VECS(crc32c_tv_template)
4596                 }
4597         }, {
4598                 .alg = "crc64-rocksoft",
4599                 .test = alg_test_hash,
4600                 .fips_allowed = 1,
4601                 .suite = {
4602                         .hash = __VECS(crc64_rocksoft_tv_template)
4603                 }
4604         }, {
4605                 .alg = "crct10dif",
4606                 .test = alg_test_hash,
4607                 .fips_allowed = 1,
4608                 .suite = {
4609                         .hash = __VECS(crct10dif_tv_template)
4610                 }
4611         }, {
4612                 .alg = "ctr(aes)",
4613                 .test = alg_test_skcipher,
4614                 .fips_allowed = 1,
4615                 .suite = {
4616                         .cipher = __VECS(aes_ctr_tv_template)
4617                 }
4618         }, {
4619                 .alg = "ctr(aria)",
4620                 .test = alg_test_skcipher,
4621                 .suite = {
4622                         .cipher = __VECS(aria_ctr_tv_template)
4623                 }
4624         }, {
4625                 .alg = "ctr(blowfish)",
4626                 .test = alg_test_skcipher,
4627                 .suite = {
4628                         .cipher = __VECS(bf_ctr_tv_template)
4629                 }
4630         }, {
4631                 .alg = "ctr(camellia)",
4632                 .test = alg_test_skcipher,
4633                 .suite = {
4634                         .cipher = __VECS(camellia_ctr_tv_template)
4635                 }
4636         }, {
4637                 .alg = "ctr(cast5)",
4638                 .test = alg_test_skcipher,
4639                 .suite = {
4640                         .cipher = __VECS(cast5_ctr_tv_template)
4641                 }
4642         }, {
4643                 .alg = "ctr(cast6)",
4644                 .test = alg_test_skcipher,
4645                 .suite = {
4646                         .cipher = __VECS(cast6_ctr_tv_template)
4647                 }
4648         }, {
4649                 .alg = "ctr(des)",
4650                 .test = alg_test_skcipher,
4651                 .suite = {
4652                         .cipher = __VECS(des_ctr_tv_template)
4653                 }
4654         }, {
4655                 .alg = "ctr(des3_ede)",
4656                 .test = alg_test_skcipher,
4657                 .suite = {
4658                         .cipher = __VECS(des3_ede_ctr_tv_template)
4659                 }
4660         }, {
4661                 /* Same as ctr(aes) except the key is stored in
4662                  * hardware secure memory which we reference by index
4663                  */
4664                 .alg = "ctr(paes)",
4665                 .test = alg_test_null,
4666                 .fips_allowed = 1,
4667         }, {
4668
4669                 /* Same as ctr(sm4) except the key is stored in
4670                  * hardware secure memory which we reference by index
4671                  */
4672                 .alg = "ctr(psm4)",
4673                 .test = alg_test_null,
4674         }, {
4675                 .alg = "ctr(serpent)",
4676                 .test = alg_test_skcipher,
4677                 .suite = {
4678                         .cipher = __VECS(serpent_ctr_tv_template)
4679                 }
4680         }, {
4681                 .alg = "ctr(sm4)",
4682                 .test = alg_test_skcipher,
4683                 .suite = {
4684                         .cipher = __VECS(sm4_ctr_tv_template)
4685                 }
4686         }, {
4687                 .alg = "ctr(twofish)",
4688                 .test = alg_test_skcipher,
4689                 .suite = {
4690                         .cipher = __VECS(tf_ctr_tv_template)
4691                 }
4692         }, {
4693 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4694                 .alg = "ctr-paes-s390",
4695                 .fips_allowed = 1,
4696                 .test = alg_test_skcipher,
4697                 .suite = {
4698                         .cipher = __VECS(aes_ctr_tv_template)
4699                 }
4700         }, {
4701 #endif
4702                 .alg = "cts(cbc(aes))",
4703                 .test = alg_test_skcipher,
4704                 .fips_allowed = 1,
4705                 .suite = {
4706                         .cipher = __VECS(cts_mode_tv_template)
4707                 }
4708         }, {
4709                 /* Same as cts(cbc((aes)) except the key is stored in
4710                  * hardware secure memory which we reference by index
4711                  */
4712                 .alg = "cts(cbc(paes))",
4713                 .test = alg_test_null,
4714                 .fips_allowed = 1,
4715         }, {
4716                 .alg = "curve25519",
4717                 .test = alg_test_kpp,
4718                 .suite = {
4719                         .kpp = __VECS(curve25519_tv_template)
4720                 }
4721         }, {
4722                 .alg = "deflate",
4723                 .test = alg_test_comp,
4724                 .fips_allowed = 1,
4725                 .suite = {
4726                         .comp = {
4727                                 .comp = __VECS(deflate_comp_tv_template),
4728                                 .decomp = __VECS(deflate_decomp_tv_template)
4729                         }
4730                 }
4731         }, {
4732                 .alg = "dh",
4733                 .test = alg_test_kpp,
4734                 .suite = {
4735                         .kpp = __VECS(dh_tv_template)
4736                 }
4737         }, {
4738                 .alg = "digest_null",
4739                 .test = alg_test_null,
4740         }, {
4741                 .alg = "drbg_nopr_ctr_aes128",
4742                 .test = alg_test_drbg,
4743                 .fips_allowed = 1,
4744                 .suite = {
4745                         .drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
4746                 }
4747         }, {
4748                 .alg = "drbg_nopr_ctr_aes192",
4749                 .test = alg_test_drbg,
4750                 .fips_allowed = 1,
4751                 .suite = {
4752                         .drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
4753                 }
4754         }, {
4755                 .alg = "drbg_nopr_ctr_aes256",
4756                 .test = alg_test_drbg,
4757                 .fips_allowed = 1,
4758                 .suite = {
4759                         .drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
4760                 }
4761         }, {
4762                 /*
4763                  * There is no need to specifically test the DRBG with every
4764                  * backend cipher -- covered by drbg_nopr_hmac_sha256 test
4765                  */
4766                 .alg = "drbg_nopr_hmac_sha1",
4767                 .fips_allowed = 1,
4768                 .test = alg_test_null,
4769         }, {
4770                 .alg = "drbg_nopr_hmac_sha256",
4771                 .test = alg_test_drbg,
4772                 .fips_allowed = 1,
4773                 .suite = {
4774                         .drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
4775                 }
4776         }, {
4777                 /* covered by drbg_nopr_hmac_sha256 test */
4778                 .alg = "drbg_nopr_hmac_sha384",
4779                 .fips_allowed = 1,
4780                 .test = alg_test_null,
4781         }, {
4782                 .alg = "drbg_nopr_hmac_sha512",
4783                 .test = alg_test_drbg,
4784                 .fips_allowed = 1,
4785                 .suite = {
4786                         .drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
4787                 }
4788         }, {
4789                 .alg = "drbg_nopr_sha1",
4790                 .fips_allowed = 1,
4791                 .test = alg_test_null,
4792         }, {
4793                 .alg = "drbg_nopr_sha256",
4794                 .test = alg_test_drbg,
4795                 .fips_allowed = 1,
4796                 .suite = {
4797                         .drbg = __VECS(drbg_nopr_sha256_tv_template)
4798                 }
4799         }, {
4800                 /* covered by drbg_nopr_sha256 test */
4801                 .alg = "drbg_nopr_sha384",
4802                 .fips_allowed = 1,
4803                 .test = alg_test_null,
4804         }, {
4805                 .alg = "drbg_nopr_sha512",
4806                 .fips_allowed = 1,
4807                 .test = alg_test_null,
4808         }, {
4809                 .alg = "drbg_pr_ctr_aes128",
4810                 .test = alg_test_drbg,
4811                 .fips_allowed = 1,
4812                 .suite = {
4813                         .drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
4814                 }
4815         }, {
4816                 /* covered by drbg_pr_ctr_aes128 test */
4817                 .alg = "drbg_pr_ctr_aes192",
4818                 .fips_allowed = 1,
4819                 .test = alg_test_null,
4820         }, {
4821                 .alg = "drbg_pr_ctr_aes256",
4822                 .fips_allowed = 1,
4823                 .test = alg_test_null,
4824         }, {
4825                 .alg = "drbg_pr_hmac_sha1",
4826                 .fips_allowed = 1,
4827                 .test = alg_test_null,
4828         }, {
4829                 .alg = "drbg_pr_hmac_sha256",
4830                 .test = alg_test_drbg,
4831                 .fips_allowed = 1,
4832                 .suite = {
4833                         .drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
4834                 }
4835         }, {
4836                 /* covered by drbg_pr_hmac_sha256 test */
4837                 .alg = "drbg_pr_hmac_sha384",
4838                 .fips_allowed = 1,
4839                 .test = alg_test_null,
4840         }, {
4841                 .alg = "drbg_pr_hmac_sha512",
4842                 .test = alg_test_null,
4843                 .fips_allowed = 1,
4844         }, {
4845                 .alg = "drbg_pr_sha1",
4846                 .fips_allowed = 1,
4847                 .test = alg_test_null,
4848         }, {
4849                 .alg = "drbg_pr_sha256",
4850                 .test = alg_test_drbg,
4851                 .fips_allowed = 1,
4852                 .suite = {
4853                         .drbg = __VECS(drbg_pr_sha256_tv_template)
4854                 }
4855         }, {
4856                 /* covered by drbg_pr_sha256 test */
4857                 .alg = "drbg_pr_sha384",
4858                 .fips_allowed = 1,
4859                 .test = alg_test_null,
4860         }, {
4861                 .alg = "drbg_pr_sha512",
4862                 .fips_allowed = 1,
4863                 .test = alg_test_null,
4864         }, {
4865                 .alg = "ecb(aes)",
4866                 .test = alg_test_skcipher,
4867                 .fips_allowed = 1,
4868                 .suite = {
4869                         .cipher = __VECS(aes_tv_template)
4870                 }
4871         }, {
4872                 .alg = "ecb(anubis)",
4873                 .test = alg_test_skcipher,
4874                 .suite = {
4875                         .cipher = __VECS(anubis_tv_template)
4876                 }
4877         }, {
4878                 .alg = "ecb(arc4)",
4879                 .generic_driver = "ecb(arc4)-generic",
4880                 .test = alg_test_skcipher,
4881                 .suite = {
4882                         .cipher = __VECS(arc4_tv_template)
4883                 }
4884         }, {
4885                 .alg = "ecb(aria)",
4886                 .test = alg_test_skcipher,
4887                 .suite = {
4888                         .cipher = __VECS(aria_tv_template)
4889                 }
4890         }, {
4891                 .alg = "ecb(blowfish)",
4892                 .test = alg_test_skcipher,
4893                 .suite = {
4894                         .cipher = __VECS(bf_tv_template)
4895                 }
4896         }, {
4897                 .alg = "ecb(camellia)",
4898                 .test = alg_test_skcipher,
4899                 .suite = {
4900                         .cipher = __VECS(camellia_tv_template)
4901                 }
4902         }, {
4903                 .alg = "ecb(cast5)",
4904                 .test = alg_test_skcipher,
4905                 .suite = {
4906                         .cipher = __VECS(cast5_tv_template)
4907                 }
4908         }, {
4909                 .alg = "ecb(cast6)",
4910                 .test = alg_test_skcipher,
4911                 .suite = {
4912                         .cipher = __VECS(cast6_tv_template)
4913                 }
4914         }, {
4915                 .alg = "ecb(cipher_null)",
4916                 .test = alg_test_null,
4917                 .fips_allowed = 1,
4918         }, {
4919                 .alg = "ecb(des)",
4920                 .test = alg_test_skcipher,
4921                 .suite = {
4922                         .cipher = __VECS(des_tv_template)
4923                 }
4924         }, {
4925                 .alg = "ecb(des3_ede)",
4926                 .test = alg_test_skcipher,
4927                 .suite = {
4928                         .cipher = __VECS(des3_ede_tv_template)
4929                 }
4930         }, {
4931                 .alg = "ecb(fcrypt)",
4932                 .test = alg_test_skcipher,
4933                 .suite = {
4934                         .cipher = {
4935                                 .vecs = fcrypt_pcbc_tv_template,
4936                                 .count = 1
4937                         }
4938                 }
4939         }, {
4940                 .alg = "ecb(khazad)",
4941                 .test = alg_test_skcipher,
4942                 .suite = {
4943                         .cipher = __VECS(khazad_tv_template)
4944                 }
4945         }, {
4946                 /* Same as ecb(aes) except the key is stored in
4947                  * hardware secure memory which we reference by index
4948                  */
4949                 .alg = "ecb(paes)",
4950                 .test = alg_test_null,
4951                 .fips_allowed = 1,
4952         }, {
4953                 .alg = "ecb(seed)",
4954                 .test = alg_test_skcipher,
4955                 .suite = {
4956                         .cipher = __VECS(seed_tv_template)
4957                 }
4958         }, {
4959                 .alg = "ecb(serpent)",
4960                 .test = alg_test_skcipher,
4961                 .suite = {
4962                         .cipher = __VECS(serpent_tv_template)
4963                 }
4964         }, {
4965                 .alg = "ecb(sm4)",
4966                 .test = alg_test_skcipher,
4967                 .suite = {
4968                         .cipher = __VECS(sm4_tv_template)
4969                 }
4970         }, {
4971                 .alg = "ecb(tea)",
4972                 .test = alg_test_skcipher,
4973                 .suite = {
4974                         .cipher = __VECS(tea_tv_template)
4975                 }
4976         }, {
4977                 .alg = "ecb(twofish)",
4978                 .test = alg_test_skcipher,
4979                 .suite = {
4980                         .cipher = __VECS(tf_tv_template)
4981                 }
4982         }, {
4983                 .alg = "ecb(xeta)",
4984                 .test = alg_test_skcipher,
4985                 .suite = {
4986                         .cipher = __VECS(xeta_tv_template)
4987                 }
4988         }, {
4989                 .alg = "ecb(xtea)",
4990                 .test = alg_test_skcipher,
4991                 .suite = {
4992                         .cipher = __VECS(xtea_tv_template)
4993                 }
4994         }, {
4995 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4996                 .alg = "ecb-paes-s390",
4997                 .fips_allowed = 1,
4998                 .test = alg_test_skcipher,
4999                 .suite = {
5000                         .cipher = __VECS(aes_tv_template)
5001                 }
5002         }, {
5003 #endif
5004                 .alg = "ecdh-nist-p192",
5005                 .test = alg_test_kpp,
5006                 .suite = {
5007                         .kpp = __VECS(ecdh_p192_tv_template)
5008                 }
5009         }, {
5010                 .alg = "ecdh-nist-p256",
5011                 .test = alg_test_kpp,
5012                 .fips_allowed = 1,
5013                 .suite = {
5014                         .kpp = __VECS(ecdh_p256_tv_template)
5015                 }
5016         }, {
5017                 .alg = "ecdh-nist-p384",
5018                 .test = alg_test_kpp,
5019                 .fips_allowed = 1,
5020                 .suite = {
5021                         .kpp = __VECS(ecdh_p384_tv_template)
5022                 }
5023         }, {
5024                 .alg = "ecdsa-nist-p192",
5025                 .test = alg_test_akcipher,
5026                 .suite = {
5027                         .akcipher = __VECS(ecdsa_nist_p192_tv_template)
5028                 }
5029         }, {
5030                 .alg = "ecdsa-nist-p256",
5031                 .test = alg_test_akcipher,
5032                 .suite = {
5033                         .akcipher = __VECS(ecdsa_nist_p256_tv_template)
5034                 }
5035         }, {
5036                 .alg = "ecdsa-nist-p384",
5037                 .test = alg_test_akcipher,
5038                 .suite = {
5039                         .akcipher = __VECS(ecdsa_nist_p384_tv_template)
5040                 }
5041         }, {
5042                 .alg = "ecrdsa",
5043                 .test = alg_test_akcipher,
5044                 .suite = {
5045                         .akcipher = __VECS(ecrdsa_tv_template)
5046                 }
5047         }, {
5048                 .alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
5049                 .test = alg_test_aead,
5050                 .fips_allowed = 1,
5051                 .suite = {
5052                         .aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
5053                 }
5054         }, {
5055                 .alg = "essiv(cbc(aes),sha256)",
5056                 .test = alg_test_skcipher,
5057                 .fips_allowed = 1,
5058                 .suite = {
5059                         .cipher = __VECS(essiv_aes_cbc_tv_template)
5060                 }
5061         }, {
5062 #if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
5063                 .alg = "ffdhe2048(dh)",
5064                 .test = alg_test_kpp,
5065                 .fips_allowed = 1,
5066                 .suite = {
5067                         .kpp = __VECS(ffdhe2048_dh_tv_template)
5068                 }
5069         }, {
5070                 .alg = "ffdhe3072(dh)",
5071                 .test = alg_test_kpp,
5072                 .fips_allowed = 1,
5073                 .suite = {
5074                         .kpp = __VECS(ffdhe3072_dh_tv_template)
5075                 }
5076         }, {
5077                 .alg = "ffdhe4096(dh)",
5078                 .test = alg_test_kpp,
5079                 .fips_allowed = 1,
5080                 .suite = {
5081                         .kpp = __VECS(ffdhe4096_dh_tv_template)
5082                 }
5083         }, {
5084                 .alg = "ffdhe6144(dh)",
5085                 .test = alg_test_kpp,
5086                 .fips_allowed = 1,
5087                 .suite = {
5088                         .kpp = __VECS(ffdhe6144_dh_tv_template)
5089                 }
5090         }, {
5091                 .alg = "ffdhe8192(dh)",
5092                 .test = alg_test_kpp,
5093                 .fips_allowed = 1,
5094                 .suite = {
5095                         .kpp = __VECS(ffdhe8192_dh_tv_template)
5096                 }
5097         }, {
5098 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
5099                 .alg = "gcm(aes)",
5100                 .generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
5101                 .test = alg_test_aead,
5102                 .fips_allowed = 1,
5103                 .suite = {
5104                         .aead = __VECS(aes_gcm_tv_template)
5105                 }
5106         }, {
5107                 .alg = "gcm(aria)",
5108                 .generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)",
5109                 .test = alg_test_aead,
5110                 .suite = {
5111                         .aead = __VECS(aria_gcm_tv_template)
5112                 }
5113         }, {
5114                 .alg = "gcm(sm4)",
5115                 .generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)",
5116                 .test = alg_test_aead,
5117                 .suite = {
5118                         .aead = __VECS(sm4_gcm_tv_template)
5119                 }
5120         }, {
5121                 .alg = "ghash",
5122                 .test = alg_test_hash,
5123                 .fips_allowed = 1,
5124                 .suite = {
5125                         .hash = __VECS(ghash_tv_template)
5126                 }
5127         }, {
5128                 .alg = "hctr2(aes)",
5129                 .generic_driver =
5130                     "hctr2_base(xctr(aes-generic),polyval-generic)",
5131                 .test = alg_test_skcipher,
5132                 .suite = {
5133                         .cipher = __VECS(aes_hctr2_tv_template)
5134                 }
5135         }, {
5136                 .alg = "hmac(md5)",
5137                 .test = alg_test_hash,
5138                 .suite = {
5139                         .hash = __VECS(hmac_md5_tv_template)
5140                 }
5141         }, {
5142                 .alg = "hmac(rmd160)",
5143                 .test = alg_test_hash,
5144                 .suite = {
5145                         .hash = __VECS(hmac_rmd160_tv_template)
5146                 }
5147         }, {
5148                 .alg = "hmac(sha1)",
5149                 .test = alg_test_hash,
5150                 .fips_allowed = 1,
5151                 .suite = {
5152                         .hash = __VECS(hmac_sha1_tv_template)
5153                 }
5154         }, {
5155                 .alg = "hmac(sha224)",
5156                 .test = alg_test_hash,
5157                 .fips_allowed = 1,
5158                 .suite = {
5159                         .hash = __VECS(hmac_sha224_tv_template)
5160                 }
5161         }, {
5162                 .alg = "hmac(sha256)",
5163                 .test = alg_test_hash,
5164                 .fips_allowed = 1,
5165                 .suite = {
5166                         .hash = __VECS(hmac_sha256_tv_template)
5167                 }
5168         }, {
5169                 .alg = "hmac(sha3-224)",
5170                 .test = alg_test_hash,
5171                 .fips_allowed = 1,
5172                 .suite = {
5173                         .hash = __VECS(hmac_sha3_224_tv_template)
5174                 }
5175         }, {
5176                 .alg = "hmac(sha3-256)",
5177                 .test = alg_test_hash,
5178                 .fips_allowed = 1,
5179                 .suite = {
5180                         .hash = __VECS(hmac_sha3_256_tv_template)
5181                 }
5182         }, {
5183                 .alg = "hmac(sha3-384)",
5184                 .test = alg_test_hash,
5185                 .fips_allowed = 1,
5186                 .suite = {
5187                         .hash = __VECS(hmac_sha3_384_tv_template)
5188                 }
5189         }, {
5190                 .alg = "hmac(sha3-512)",
5191                 .test = alg_test_hash,
5192                 .fips_allowed = 1,
5193                 .suite = {
5194                         .hash = __VECS(hmac_sha3_512_tv_template)
5195                 }
5196         }, {
5197                 .alg = "hmac(sha384)",
5198                 .test = alg_test_hash,
5199                 .fips_allowed = 1,
5200                 .suite = {
5201                         .hash = __VECS(hmac_sha384_tv_template)
5202                 }
5203         }, {
5204                 .alg = "hmac(sha512)",
5205                 .test = alg_test_hash,
5206                 .fips_allowed = 1,
5207                 .suite = {
5208                         .hash = __VECS(hmac_sha512_tv_template)
5209                 }
5210         }, {
5211                 .alg = "hmac(sm3)",
5212                 .test = alg_test_hash,
5213                 .suite = {
5214                         .hash = __VECS(hmac_sm3_tv_template)
5215                 }
5216         }, {
5217                 .alg = "hmac(streebog256)",
5218                 .test = alg_test_hash,
5219                 .suite = {
5220                         .hash = __VECS(hmac_streebog256_tv_template)
5221                 }
5222         }, {
5223                 .alg = "hmac(streebog512)",
5224                 .test = alg_test_hash,
5225                 .suite = {
5226                         .hash = __VECS(hmac_streebog512_tv_template)
5227                 }
5228         }, {
5229                 .alg = "jitterentropy_rng",
5230                 .fips_allowed = 1,
5231                 .test = alg_test_null,
5232         }, {
5233                 .alg = "kw(aes)",
5234                 .test = alg_test_skcipher,
5235                 .fips_allowed = 1,
5236                 .suite = {
5237                         .cipher = __VECS(aes_kw_tv_template)
5238                 }
5239         }, {
5240                 .alg = "lrw(aes)",
5241                 .generic_driver = "lrw(ecb(aes-generic))",
5242                 .test = alg_test_skcipher,
5243                 .suite = {
5244                         .cipher = __VECS(aes_lrw_tv_template)
5245                 }
5246         }, {
5247                 .alg = "lrw(camellia)",
5248                 .generic_driver = "lrw(ecb(camellia-generic))",
5249                 .test = alg_test_skcipher,
5250                 .suite = {
5251                         .cipher = __VECS(camellia_lrw_tv_template)
5252                 }
5253         }, {
5254                 .alg = "lrw(cast6)",
5255                 .generic_driver = "lrw(ecb(cast6-generic))",
5256                 .test = alg_test_skcipher,
5257                 .suite = {
5258                         .cipher = __VECS(cast6_lrw_tv_template)
5259                 }
5260         }, {
5261                 .alg = "lrw(serpent)",
5262                 .generic_driver = "lrw(ecb(serpent-generic))",
5263                 .test = alg_test_skcipher,
5264                 .suite = {
5265                         .cipher = __VECS(serpent_lrw_tv_template)
5266                 }
5267         }, {
5268                 .alg = "lrw(twofish)",
5269                 .generic_driver = "lrw(ecb(twofish-generic))",
5270                 .test = alg_test_skcipher,
5271                 .suite = {
5272                         .cipher = __VECS(tf_lrw_tv_template)
5273                 }
5274         }, {
5275                 .alg = "lz4",
5276                 .test = alg_test_comp,
5277                 .fips_allowed = 1,
5278                 .suite = {
5279                         .comp = {
5280                                 .comp = __VECS(lz4_comp_tv_template),
5281                                 .decomp = __VECS(lz4_decomp_tv_template)
5282                         }
5283                 }
5284         }, {
5285                 .alg = "lz4hc",
5286                 .test = alg_test_comp,
5287                 .fips_allowed = 1,
5288                 .suite = {
5289                         .comp = {
5290                                 .comp = __VECS(lz4hc_comp_tv_template),
5291                                 .decomp = __VECS(lz4hc_decomp_tv_template)
5292                         }
5293                 }
5294         }, {
5295                 .alg = "lzo",
5296                 .test = alg_test_comp,
5297                 .fips_allowed = 1,
5298                 .suite = {
5299                         .comp = {
5300                                 .comp = __VECS(lzo_comp_tv_template),
5301                                 .decomp = __VECS(lzo_decomp_tv_template)
5302                         }
5303                 }
5304         }, {
5305                 .alg = "lzo-rle",
5306                 .test = alg_test_comp,
5307                 .fips_allowed = 1,
5308                 .suite = {
5309                         .comp = {
5310                                 .comp = __VECS(lzorle_comp_tv_template),
5311                                 .decomp = __VECS(lzorle_decomp_tv_template)
5312                         }
5313                 }
5314         }, {
5315                 .alg = "md4",
5316                 .test = alg_test_hash,
5317                 .suite = {
5318                         .hash = __VECS(md4_tv_template)
5319                 }
5320         }, {
5321                 .alg = "md5",
5322                 .test = alg_test_hash,
5323                 .suite = {
5324                         .hash = __VECS(md5_tv_template)
5325                 }
5326         }, {
5327                 .alg = "michael_mic",
5328                 .test = alg_test_hash,
5329                 .suite = {
5330                         .hash = __VECS(michael_mic_tv_template)
5331                 }
5332         }, {
5333                 .alg = "nhpoly1305",
5334                 .test = alg_test_hash,
5335                 .suite = {
5336                         .hash = __VECS(nhpoly1305_tv_template)
5337                 }
5338         }, {
5339                 .alg = "ofb(aes)",
5340                 .test = alg_test_skcipher,
5341                 .fips_allowed = 1,
5342                 .suite = {
5343                         .cipher = __VECS(aes_ofb_tv_template)
5344                 }
5345         }, {
5346                 /* Same as ofb(aes) except the key is stored in
5347                  * hardware secure memory which we reference by index
5348                  */
5349                 .alg = "ofb(paes)",
5350                 .test = alg_test_null,
5351                 .fips_allowed = 1,
5352         }, {
5353                 .alg = "ofb(sm4)",
5354                 .test = alg_test_skcipher,
5355                 .suite = {
5356                         .cipher = __VECS(sm4_ofb_tv_template)
5357                 }
5358         }, {
5359                 .alg = "pcbc(fcrypt)",
5360                 .test = alg_test_skcipher,
5361                 .suite = {
5362                         .cipher = __VECS(fcrypt_pcbc_tv_template)
5363                 }
5364         }, {
5365                 .alg = "pkcs1pad(rsa,sha224)",
5366                 .test = alg_test_null,
5367                 .fips_allowed = 1,
5368         }, {
5369                 .alg = "pkcs1pad(rsa,sha256)",
5370                 .test = alg_test_akcipher,
5371                 .fips_allowed = 1,
5372                 .suite = {
5373                         .akcipher = __VECS(pkcs1pad_rsa_tv_template)
5374                 }
5375         }, {
5376                 .alg = "pkcs1pad(rsa,sha384)",
5377                 .test = alg_test_null,
5378                 .fips_allowed = 1,
5379         }, {
5380                 .alg = "pkcs1pad(rsa,sha512)",
5381                 .test = alg_test_null,
5382                 .fips_allowed = 1,
5383         }, {
5384                 .alg = "poly1305",
5385                 .test = alg_test_hash,
5386                 .suite = {
5387                         .hash = __VECS(poly1305_tv_template)
5388                 }
5389         }, {
5390                 .alg = "polyval",
5391                 .test = alg_test_hash,
5392                 .suite = {
5393                         .hash = __VECS(polyval_tv_template)
5394                 }
5395         }, {
5396                 .alg = "rfc3686(ctr(aes))",
5397                 .test = alg_test_skcipher,
5398                 .fips_allowed = 1,
5399                 .suite = {
5400                         .cipher = __VECS(aes_ctr_rfc3686_tv_template)
5401                 }
5402         }, {
5403                 .alg = "rfc3686(ctr(sm4))",
5404                 .test = alg_test_skcipher,
5405                 .suite = {
5406                         .cipher = __VECS(sm4_ctr_rfc3686_tv_template)
5407                 }
5408         }, {
5409                 .alg = "rfc4106(gcm(aes))",
5410                 .generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
5411                 .test = alg_test_aead,
5412                 .fips_allowed = 1,
5413                 .suite = {
5414                         .aead = {
5415                                 ____VECS(aes_gcm_rfc4106_tv_template),
5416                                 .einval_allowed = 1,
5417                                 .aad_iv = 1,
5418                         }
5419                 }
5420         }, {
5421                 .alg = "rfc4309(ccm(aes))",
5422                 .generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
5423                 .test = alg_test_aead,
5424                 .fips_allowed = 1,
5425                 .suite = {
5426                         .aead = {
5427                                 ____VECS(aes_ccm_rfc4309_tv_template),
5428                                 .einval_allowed = 1,
5429                                 .aad_iv = 1,
5430                         }
5431                 }
5432         }, {
5433                 .alg = "rfc4543(gcm(aes))",
5434                 .generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))",
5435                 .test = alg_test_aead,
5436                 .suite = {
5437                         .aead = {
5438                                 ____VECS(aes_gcm_rfc4543_tv_template),
5439                                 .einval_allowed = 1,
5440                                 .aad_iv = 1,
5441                         }
5442                 }
5443         }, {
5444                 .alg = "rfc7539(chacha20,poly1305)",
5445                 .test = alg_test_aead,
5446                 .suite = {
5447                         .aead = __VECS(rfc7539_tv_template)
5448                 }
5449         }, {
5450                 .alg = "rfc7539esp(chacha20,poly1305)",
5451                 .test = alg_test_aead,
5452                 .suite = {
5453                         .aead = {
5454                                 ____VECS(rfc7539esp_tv_template),
5455                                 .einval_allowed = 1,
5456                                 .aad_iv = 1,
5457                         }
5458                 }
5459         }, {
5460                 .alg = "rmd160",
5461                 .test = alg_test_hash,
5462                 .suite = {
5463                         .hash = __VECS(rmd160_tv_template)
5464                 }
5465         }, {
5466                 .alg = "rsa",
5467                 .test = alg_test_akcipher,
5468                 .fips_allowed = 1,
5469                 .suite = {
5470                         .akcipher = __VECS(rsa_tv_template)
5471                 }
5472         }, {
5473                 .alg = "sha1",
5474                 .test = alg_test_hash,
5475                 .fips_allowed = 1,
5476                 .suite = {
5477                         .hash = __VECS(sha1_tv_template)
5478                 }
5479         }, {
5480                 .alg = "sha224",
5481                 .test = alg_test_hash,
5482                 .fips_allowed = 1,
5483                 .suite = {
5484                         .hash = __VECS(sha224_tv_template)
5485                 }
5486         }, {
5487                 .alg = "sha256",
5488                 .test = alg_test_hash,
5489                 .fips_allowed = 1,
5490                 .suite = {
5491                         .hash = __VECS(sha256_tv_template)
5492                 }
5493         }, {
5494                 .alg = "sha3-224",
5495                 .test = alg_test_hash,
5496                 .fips_allowed = 1,
5497                 .suite = {
5498                         .hash = __VECS(sha3_224_tv_template)
5499                 }
5500         }, {
5501                 .alg = "sha3-256",
5502                 .test = alg_test_hash,
5503                 .fips_allowed = 1,
5504                 .suite = {
5505                         .hash = __VECS(sha3_256_tv_template)
5506                 }
5507         }, {
5508                 .alg = "sha3-384",
5509                 .test = alg_test_hash,
5510                 .fips_allowed = 1,
5511                 .suite = {
5512                         .hash = __VECS(sha3_384_tv_template)
5513                 }
5514         }, {
5515                 .alg = "sha3-512",
5516                 .test = alg_test_hash,
5517                 .fips_allowed = 1,
5518                 .suite = {
5519                         .hash = __VECS(sha3_512_tv_template)
5520                 }
5521         }, {
5522                 .alg = "sha384",
5523                 .test = alg_test_hash,
5524                 .fips_allowed = 1,
5525                 .suite = {
5526                         .hash = __VECS(sha384_tv_template)
5527                 }
5528         }, {
5529                 .alg = "sha512",
5530                 .test = alg_test_hash,
5531                 .fips_allowed = 1,
5532                 .suite = {
5533                         .hash = __VECS(sha512_tv_template)
5534                 }
5535         }, {
5536                 .alg = "sm2",
5537                 .test = alg_test_akcipher,
5538                 .suite = {
5539                         .akcipher = __VECS(sm2_tv_template)
5540                 }
5541         }, {
5542                 .alg = "sm3",
5543                 .test = alg_test_hash,
5544                 .suite = {
5545                         .hash = __VECS(sm3_tv_template)
5546                 }
5547         }, {
5548                 .alg = "streebog256",
5549                 .test = alg_test_hash,
5550                 .suite = {
5551                         .hash = __VECS(streebog256_tv_template)
5552                 }
5553         }, {
5554                 .alg = "streebog512",
5555                 .test = alg_test_hash,
5556                 .suite = {
5557                         .hash = __VECS(streebog512_tv_template)
5558                 }
5559         }, {
5560                 .alg = "vmac64(aes)",
5561                 .test = alg_test_hash,
5562                 .suite = {
5563                         .hash = __VECS(vmac64_aes_tv_template)
5564                 }
5565         }, {
5566                 .alg = "wp256",
5567                 .test = alg_test_hash,
5568                 .suite = {
5569                         .hash = __VECS(wp256_tv_template)
5570                 }
5571         }, {
5572                 .alg = "wp384",
5573                 .test = alg_test_hash,
5574                 .suite = {
5575                         .hash = __VECS(wp384_tv_template)
5576                 }
5577         }, {
5578                 .alg = "wp512",
5579                 .test = alg_test_hash,
5580                 .suite = {
5581                         .hash = __VECS(wp512_tv_template)
5582                 }
5583         }, {
5584                 .alg = "xcbc(aes)",
5585                 .test = alg_test_hash,
5586                 .suite = {
5587                         .hash = __VECS(aes_xcbc128_tv_template)
5588                 }
5589         }, {
5590                 .alg = "xchacha12",
5591                 .test = alg_test_skcipher,
5592                 .suite = {
5593                         .cipher = __VECS(xchacha12_tv_template)
5594                 },
5595         }, {
5596                 .alg = "xchacha20",
5597                 .test = alg_test_skcipher,
5598                 .suite = {
5599                         .cipher = __VECS(xchacha20_tv_template)
5600                 },
5601         }, {
5602                 .alg = "xctr(aes)",
5603                 .test = alg_test_skcipher,
5604                 .suite = {
5605                         .cipher = __VECS(aes_xctr_tv_template)
5606                 }
5607         }, {
5608                 .alg = "xts(aes)",
5609                 .generic_driver = "xts(ecb(aes-generic))",
5610                 .test = alg_test_skcipher,
5611                 .fips_allowed = 1,
5612                 .suite = {
5613                         .cipher = __VECS(aes_xts_tv_template)
5614                 }
5615         }, {
5616                 .alg = "xts(camellia)",
5617                 .generic_driver = "xts(ecb(camellia-generic))",
5618                 .test = alg_test_skcipher,
5619                 .suite = {
5620                         .cipher = __VECS(camellia_xts_tv_template)
5621                 }
5622         }, {
5623                 .alg = "xts(cast6)",
5624                 .generic_driver = "xts(ecb(cast6-generic))",
5625                 .test = alg_test_skcipher,
5626                 .suite = {
5627                         .cipher = __VECS(cast6_xts_tv_template)
5628                 }
5629         }, {
5630                 /* Same as xts(aes) except the key is stored in
5631                  * hardware secure memory which we reference by index
5632                  */
5633                 .alg = "xts(paes)",
5634                 .test = alg_test_null,
5635                 .fips_allowed = 1,
5636         }, {
5637                 .alg = "xts(serpent)",
5638                 .generic_driver = "xts(ecb(serpent-generic))",
5639                 .test = alg_test_skcipher,
5640                 .suite = {
5641                         .cipher = __VECS(serpent_xts_tv_template)
5642                 }
5643         }, {
5644                 .alg = "xts(twofish)",
5645                 .generic_driver = "xts(ecb(twofish-generic))",
5646                 .test = alg_test_skcipher,
5647                 .suite = {
5648                         .cipher = __VECS(tf_xts_tv_template)
5649                 }
5650         }, {
5651 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5652                 .alg = "xts-paes-s390",
5653                 .fips_allowed = 1,
5654                 .test = alg_test_skcipher,
5655                 .suite = {
5656                         .cipher = __VECS(aes_xts_tv_template)
5657                 }
5658         }, {
5659 #endif
5660                 .alg = "xts4096(paes)",
5661                 .test = alg_test_null,
5662                 .fips_allowed = 1,
5663         }, {
5664                 .alg = "xts512(paes)",
5665                 .test = alg_test_null,
5666                 .fips_allowed = 1,
5667         }, {
5668                 .alg = "xxhash64",
5669                 .test = alg_test_hash,
5670                 .fips_allowed = 1,
5671                 .suite = {
5672                         .hash = __VECS(xxhash64_tv_template)
5673                 }
5674         }, {
5675                 .alg = "zlib-deflate",
5676                 .test = alg_test_comp,
5677                 .fips_allowed = 1,
5678                 .suite = {
5679                         .comp = {
5680                                 .comp = __VECS(zlib_deflate_comp_tv_template),
5681                                 .decomp = __VECS(zlib_deflate_decomp_tv_template)
5682                         }
5683                 }
5684         }, {
5685                 .alg = "zstd",
5686                 .test = alg_test_comp,
5687                 .fips_allowed = 1,
5688                 .suite = {
5689                         .comp = {
5690                                 .comp = __VECS(zstd_comp_tv_template),
5691                                 .decomp = __VECS(zstd_decomp_tv_template)
5692                         }
5693                 }
5694         }
5695 };
5696
5697 static void alg_check_test_descs_order(void)
5698 {
5699         int i;
5700
5701         for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) {
5702                 int diff = strcmp(alg_test_descs[i - 1].alg,
5703                                   alg_test_descs[i].alg);
5704
5705                 if (WARN_ON(diff > 0)) {
5706                         pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n",
5707                                 alg_test_descs[i - 1].alg,
5708                                 alg_test_descs[i].alg);
5709                 }
5710
5711                 if (WARN_ON(diff == 0)) {
5712                         pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n",
5713                                 alg_test_descs[i].alg);
5714                 }
5715         }
5716 }
5717
5718 static void alg_check_testvec_configs(void)
5719 {
5720         int i;
5721
5722         for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++)
5723                 WARN_ON(!valid_testvec_config(
5724                                 &default_cipher_testvec_configs[i]));
5725
5726         for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++)
5727                 WARN_ON(!valid_testvec_config(
5728                                 &default_hash_testvec_configs[i]));
5729 }
5730
5731 static void testmgr_onetime_init(void)
5732 {
5733         alg_check_test_descs_order();
5734         alg_check_testvec_configs();
5735
5736 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
5737         pr_warn("alg: extra crypto tests enabled.  This is intended for developer use only.\n");
5738 #endif
5739 }
5740
5741 static int alg_find_test(const char *alg)
5742 {
5743         int start = 0;
5744         int end = ARRAY_SIZE(alg_test_descs);
5745
5746         while (start < end) {
5747                 int i = (start + end) / 2;
5748                 int diff = strcmp(alg_test_descs[i].alg, alg);
5749
5750                 if (diff > 0) {
5751                         end = i;
5752                         continue;
5753                 }
5754
5755                 if (diff < 0) {
5756                         start = i + 1;
5757                         continue;
5758                 }
5759
5760                 return i;
5761         }
5762
5763         return -1;
5764 }
5765
5766 static int alg_fips_disabled(const char *driver, const char *alg)
5767 {
5768         pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);
5769
5770         return -ECANCELED;
5771 }
5772
5773 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
5774 {
5775         int i;
5776         int j;
5777         int rc;
5778
5779         if (!fips_enabled && notests) {
5780                 printk_once(KERN_INFO "alg: self-tests disabled\n");
5781                 return 0;
5782         }
5783
5784         DO_ONCE(testmgr_onetime_init);
5785
5786         if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
5787                 char nalg[CRYPTO_MAX_ALG_NAME];
5788
5789                 if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
5790                     sizeof(nalg))
5791                         return -ENAMETOOLONG;
5792
5793                 i = alg_find_test(nalg);
5794                 if (i < 0)
5795                         goto notest;
5796
5797                 if (fips_enabled && !alg_test_descs[i].fips_allowed)
5798                         goto non_fips_alg;
5799
5800                 rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
5801                 goto test_done;
5802         }
5803
5804         i = alg_find_test(alg);
5805         j = alg_find_test(driver);
5806         if (i < 0 && j < 0)
5807                 goto notest;
5808
5809         if (fips_enabled) {
5810                 if (j >= 0 && !alg_test_descs[j].fips_allowed)
5811                         return -EINVAL;
5812
5813                 if (i >= 0 && !alg_test_descs[i].fips_allowed)
5814                         goto non_fips_alg;
5815         }
5816
5817         rc = 0;
5818         if (i >= 0)
5819                 rc |= alg_test_descs[i].test(alg_test_descs + i, driver,
5820                                              type, mask);
5821         if (j >= 0 && j != i)
5822                 rc |= alg_test_descs[j].test(alg_test_descs + j, driver,
5823                                              type, mask);
5824
5825 test_done:
5826         if (rc) {
5827                 if (fips_enabled || panic_on_fail) {
5828                         fips_fail_notify();
5829                         panic("alg: self-tests for %s (%s) failed in %s mode!\n",
5830                               driver, alg,
5831                               fips_enabled ? "fips" : "panic_on_fail");
5832                 }
5833                 pr_warn("alg: self-tests for %s using %s failed (rc=%d)",
5834                         alg, driver, rc);
5835                 WARN(rc != -ENOENT,
5836                      "alg: self-tests for %s using %s failed (rc=%d)",
5837                      alg, driver, rc);
5838         } else {
5839                 if (fips_enabled)
5840                         pr_info("alg: self-tests for %s (%s) passed\n",
5841                                 driver, alg);
5842         }
5843
5844         return rc;
5845
5846 notest:
5847         printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
5848
5849         if (type & CRYPTO_ALG_FIPS_INTERNAL)
5850                 return alg_fips_disabled(driver, alg);
5851
5852         return 0;
5853 non_fips_alg:
5854         return alg_fips_disabled(driver, alg);
5855 }
5856
5857 #endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
5858
5859 EXPORT_SYMBOL_GPL(alg_test);