the-tree/crypto/testmgr.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  * Algorithm testing framework and tests.
0004  *
0005  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
0006  * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org>
0007  * Copyright (c) 2007 Nokia Siemens Networks
0008  * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
0009  * Copyright (c) 2019 Google LLC
0010  *
0011  * Updated RFC4106 AES-GCM testing.
0012  *    Authors: Aidan O'Mahony (aidan.o.mahony@intel.com)
0013  *             Adrian Hoban <adrian.hoban@intel.com>
0014  *             Gabriele Paoloni <gabriele.paoloni@intel.com>
0015  *             Tadeusz Struk (tadeusz.struk@intel.com)
0016  *    Copyright (c) 2010, Intel Corporation.
0017  */
0018
0019 #include <crypto/aead.h>
0020 #include <crypto/hash.h>
0021 #include <crypto/skcipher.h>
0022 #include <linux/err.h>
0023 #include <linux/fips.h>
0024 #include <linux/module.h>
0025 #include <linux/once.h>
0026 #include <linux/random.h>
0027 #include <linux/scatterlist.h>
0028 #include <linux/slab.h>
0029 #include <linux/string.h>
0030 #include <linux/uio.h>
0031 #include <crypto/rng.h>
0032 #include <crypto/drbg.h>
0033 #include <crypto/akcipher.h>
0034 #include <crypto/kpp.h>
0035 #include <crypto/acompress.h>
0036 #include <crypto/internal/cipher.h>
0037 #include <crypto/internal/simd.h>
0038
0039 #include "internal.h"
0040
0041 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
0042
0043 static bool notests;
0044 module_param(notests, bool, 0644);
0045 MODULE_PARM_DESC(notests, "disable crypto self-tests");
0046
0047 static bool panic_on_fail;
0048 module_param(panic_on_fail, bool, 0444);
0049
0050 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
0051 static bool noextratests;
0052 module_param(noextratests, bool, 0644);
0053 MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");
0054
0055 static unsigned int fuzz_iterations = 100;
0056 module_param(fuzz_iterations, uint, 0644);
0057 MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
0058 #endif
0059
0060 #ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
0061
0062 /* a perfect nop */
0063 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
0064 {
0065     return 0;
0066 }
0067
0068 #else
0069
0070 #include "testmgr.h"
0071
0072 /*
0073  * Need slab memory for testing (size in number of pages).
0074  */
0075 #define XBUFSIZE    8
0076
0077 /*
0078 * Used by test_cipher()
0079 */
0080 #define ENCRYPT 1
0081 #define DECRYPT 0
0082
0083 struct aead_test_suite {
0084     const struct aead_testvec *vecs;
0085     unsigned int count;
0086
0087     /*
0088      * Set if trying to decrypt an inauthentic ciphertext with this
0089      * algorithm might result in EINVAL rather than EBADMSG, due to other
0090      * validation the algorithm does on the inputs such as length checks.
0091      */
0092     unsigned int einval_allowed : 1;
0093
0094     /*
0095      * Set if this algorithm requires that the IV be located at the end of
0096      * the AAD buffer, in addition to being given in the normal way.  The
0097      * behavior when the two IV copies differ is implementation-defined.
0098      */
0099     unsigned int aad_iv : 1;
0100 };
0101
0102 struct cipher_test_suite {
0103     const struct cipher_testvec *vecs;
0104     unsigned int count;
0105 };
0106
0107 struct comp_test_suite {
0108     struct {
0109         const struct comp_testvec *vecs;
0110         unsigned int count;
0111     } comp, decomp;
0112 };
0113
0114 struct hash_test_suite {
0115     const struct hash_testvec *vecs;
0116     unsigned int count;
0117 };
0118
0119 struct cprng_test_suite {
0120     const struct cprng_testvec *vecs;
0121     unsigned int count;
0122 };
0123
0124 struct drbg_test_suite {
0125     const struct drbg_testvec *vecs;
0126     unsigned int count;
0127 };
0128
0129 struct akcipher_test_suite {
0130     const struct akcipher_testvec *vecs;
0131     unsigned int count;
0132 };
0133
0134 struct kpp_test_suite {
0135     const struct kpp_testvec *vecs;
0136     unsigned int count;
0137 };
0138
0139 struct alg_test_desc {
0140     const char *alg;
0141     const char *generic_driver;
0142     int (*test)(const struct alg_test_desc *desc, const char *driver,
0143             u32 type, u32 mask);
0144     int fips_allowed;   /* set if alg is allowed in fips mode */
0145
0146     union {
0147         struct aead_test_suite aead;
0148         struct cipher_test_suite cipher;
0149         struct comp_test_suite comp;
0150         struct hash_test_suite hash;
0151         struct cprng_test_suite cprng;
0152         struct drbg_test_suite drbg;
0153         struct akcipher_test_suite akcipher;
0154         struct kpp_test_suite kpp;
0155     } suite;
0156 };
0157
0158 static void hexdump(unsigned char *buf, unsigned int len)
0159 {
0160     print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
0161             16, 1,
0162             buf, len, false);
0163 }
0164
0165 static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order)
0166 {
0167     int i;
0168
0169     for (i = 0; i < XBUFSIZE; i++) {
0170         buf[i] = (char *)__get_free_pages(GFP_KERNEL, order);
0171         if (!buf[i])
0172             goto err_free_buf;
0173     }
0174
0175     return 0;
0176
0177 err_free_buf:
0178     while (i-- > 0)
0179         free_pages((unsigned long)buf[i], order);
0180
0181     return -ENOMEM;
0182 }
0183
0184 static int testmgr_alloc_buf(char *buf[XBUFSIZE])
0185 {
0186     return __testmgr_alloc_buf(buf, 0);
0187 }
0188
0189 static void __testmgr_free_buf(char *buf[XBUFSIZE], int order)
0190 {
0191     int i;
0192
0193     for (i = 0; i < XBUFSIZE; i++)
0194         free_pages((unsigned long)buf[i], order);
0195 }
0196
0197 static void testmgr_free_buf(char *buf[XBUFSIZE])
0198 {
0199     __testmgr_free_buf(buf, 0);
0200 }
0201
0202 #define TESTMGR_POISON_BYTE 0xfe
0203 #define TESTMGR_POISON_LEN  16
0204
0205 static inline void testmgr_poison(void *addr, size_t len)
0206 {
0207     memset(addr, TESTMGR_POISON_BYTE, len);
0208 }
0209
0210 /* Is the memory region still fully poisoned? */
0211 static inline bool testmgr_is_poison(const void *addr, size_t len)
0212 {
0213     return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL;
0214 }
0215
0216 /* flush type for hash algorithms */
0217 enum flush_type {
0218     /* merge with update of previous buffer(s) */
0219     FLUSH_TYPE_NONE = 0,
0220
0221     /* update with previous buffer(s) before doing this one */
0222     FLUSH_TYPE_FLUSH,
0223
0224     /* likewise, but also export and re-import the intermediate state */
0225     FLUSH_TYPE_REIMPORT,
0226 };
0227
0228 /* finalization function for hash algorithms */
0229 enum finalization_type {
0230     FINALIZATION_TYPE_FINAL,    /* use final() */
0231     FINALIZATION_TYPE_FINUP,    /* use finup() */
0232     FINALIZATION_TYPE_DIGEST,   /* use digest() */
0233 };
0234
0235 /*
0236  * Whether the crypto operation will occur in-place, and if so whether the
0237  * source and destination scatterlist pointers will coincide (req->src ==
0238  * req->dst), or whether they'll merely point to two separate scatterlists
0239  * (req->src != req->dst) that reference the same underlying memory.
0240  *
0241  * This is only relevant for algorithm types that support in-place operation.
0242  */
0243 enum inplace_mode {
0244     OUT_OF_PLACE,
0245     INPLACE_ONE_SGLIST,
0246     INPLACE_TWO_SGLISTS,
0247 };
0248
0249 #define TEST_SG_TOTAL   10000
0250
0251 /**
0252  * struct test_sg_division - description of a scatterlist entry
0253  *
0254  * This struct describes one entry of a scatterlist being constructed to check a
0255  * crypto test vector.
0256  *
0257  * @proportion_of_total: length of this chunk relative to the total length,
0258  *           given as a proportion out of TEST_SG_TOTAL so that it
0259  *           scales to fit any test vector
0260  * @offset: byte offset into a 2-page buffer at which this chunk will start
0261  * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the
0262  *                @offset
0263  * @flush_type: for hashes, whether an update() should be done now vs.
0264  *      continuing to accumulate data
0265  * @nosimd: if doing the pending update(), do it with SIMD disabled?
0266  */
0267 struct test_sg_division {
0268     unsigned int proportion_of_total;
0269     unsigned int offset;
0270     bool offset_relative_to_alignmask;
0271     enum flush_type flush_type;
0272     bool nosimd;
0273 };
0274
0275 /**
0276  * struct testvec_config - configuration for testing a crypto test vector
0277  *
0278  * This struct describes the data layout and other parameters with which each
0279  * crypto test vector can be tested.
0280  *
0281  * @name: name of this config, logged for debugging purposes if a test fails
0282  * @inplace_mode: whether and how to operate on the data in-place, if applicable
0283  * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP
0284  * @src_divs: description of how to arrange the source scatterlist
0285  * @dst_divs: description of how to arrange the dst scatterlist, if applicable
0286  *        for the algorithm type.  Defaults to @src_divs if unset.
0287  * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1],
0288  *         where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary
0289  * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
0290  *                   the @iv_offset
0291  * @key_offset: misalignment of the key, where 0 is default alignment
0292  * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
0293  *                    the @key_offset
0294  * @finalization_type: what finalization function to use for hashes
0295  * @nosimd: execute with SIMD disabled?  Requires !CRYPTO_TFM_REQ_MAY_SLEEP.
0296  */
0297 struct testvec_config {
0298     const char *name;
0299     enum inplace_mode inplace_mode;
0300     u32 req_flags;
0301     struct test_sg_division src_divs[XBUFSIZE];
0302     struct test_sg_division dst_divs[XBUFSIZE];
0303     unsigned int iv_offset;
0304     unsigned int key_offset;
0305     bool iv_offset_relative_to_alignmask;
0306     bool key_offset_relative_to_alignmask;
0307     enum finalization_type finalization_type;
0308     bool nosimd;
0309 };
0310
0311 #define TESTVEC_CONFIG_NAMELEN  192
0312
0313 /*
0314  * The following are the lists of testvec_configs to test for each algorithm
0315  * type when the basic crypto self-tests are enabled, i.e. when
0316  * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset.  They aim to provide good test
0317  * coverage, while keeping the test time much shorter than the full fuzz tests
0318  * so that the basic tests can be enabled in a wider range of circumstances.
0319  */
0320
0321 /* Configs for skciphers and aeads */
0322 static const struct testvec_config default_cipher_testvec_configs[] = {
0323     {
0324         .name = "in-place (one sglist)",
0325         .inplace_mode = INPLACE_ONE_SGLIST,
0326         .src_divs = { { .proportion_of_total = 10000 } },
0327     }, {
0328         .name = "in-place (two sglists)",
0329         .inplace_mode = INPLACE_TWO_SGLISTS,
0330         .src_divs = { { .proportion_of_total = 10000 } },
0331     }, {
0332         .name = "out-of-place",
0333         .inplace_mode = OUT_OF_PLACE,
0334         .src_divs = { { .proportion_of_total = 10000 } },
0335     }, {
0336         .name = "unaligned buffer, offset=1",
0337         .src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
0338         .iv_offset = 1,
0339         .key_offset = 1,
0340     }, {
0341         .name = "buffer aligned only to alignmask",
0342         .src_divs = {
0343             {
0344                 .proportion_of_total = 10000,
0345                 .offset = 1,
0346                 .offset_relative_to_alignmask = true,
0347             },
0348         },
0349         .iv_offset = 1,
0350         .iv_offset_relative_to_alignmask = true,
0351         .key_offset = 1,
0352         .key_offset_relative_to_alignmask = true,
0353     }, {
0354         .name = "two even aligned splits",
0355         .src_divs = {
0356             { .proportion_of_total = 5000 },
0357             { .proportion_of_total = 5000 },
0358         },
0359     }, {
0360         .name = "uneven misaligned splits, may sleep",
0361         .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
0362         .src_divs = {
0363             { .proportion_of_total = 1900, .offset = 33 },
0364             { .proportion_of_total = 3300, .offset = 7  },
0365             { .proportion_of_total = 4800, .offset = 18 },
0366         },
0367         .iv_offset = 3,
0368         .key_offset = 3,
0369     }, {
0370         .name = "misaligned splits crossing pages, inplace",
0371         .inplace_mode = INPLACE_ONE_SGLIST,
0372         .src_divs = {
0373             {
0374                 .proportion_of_total = 7500,
0375                 .offset = PAGE_SIZE - 32
0376             }, {
0377                 .proportion_of_total = 2500,
0378                 .offset = PAGE_SIZE - 7
0379             },
0380         },
0381     }
0382 };
0383
0384 static const struct testvec_config default_hash_testvec_configs[] = {
0385     {
0386         .name = "init+update+final aligned buffer",
0387         .src_divs = { { .proportion_of_total = 10000 } },
0388         .finalization_type = FINALIZATION_TYPE_FINAL,
0389     }, {
0390         .name = "init+finup aligned buffer",
0391         .src_divs = { { .proportion_of_total = 10000 } },
0392         .finalization_type = FINALIZATION_TYPE_FINUP,
0393     }, {
0394         .name = "digest aligned buffer",
0395         .src_divs = { { .proportion_of_total = 10000 } },
0396         .finalization_type = FINALIZATION_TYPE_DIGEST,
0397     }, {
0398         .name = "init+update+final misaligned buffer",
0399         .src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
0400         .finalization_type = FINALIZATION_TYPE_FINAL,
0401         .key_offset = 1,
0402     }, {
0403         .name = "digest buffer aligned only to alignmask",
0404         .src_divs = {
0405             {
0406                 .proportion_of_total = 10000,
0407                 .offset = 1,
0408                 .offset_relative_to_alignmask = true,
0409             },
0410         },
0411         .finalization_type = FINALIZATION_TYPE_DIGEST,
0412         .key_offset = 1,
0413         .key_offset_relative_to_alignmask = true,
0414     }, {
0415         .name = "init+update+update+final two even splits",
0416         .src_divs = {
0417             { .proportion_of_total = 5000 },
0418             {
0419                 .proportion_of_total = 5000,
0420                 .flush_type = FLUSH_TYPE_FLUSH,
0421             },
0422         },
0423         .finalization_type = FINALIZATION_TYPE_FINAL,
0424     }, {
0425         .name = "digest uneven misaligned splits, may sleep",
0426         .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
0427         .src_divs = {
0428             { .proportion_of_total = 1900, .offset = 33 },
0429             { .proportion_of_total = 3300, .offset = 7  },
0430             { .proportion_of_total = 4800, .offset = 18 },
0431         },
0432         .finalization_type = FINALIZATION_TYPE_DIGEST,
0433     }, {
0434         .name = "digest misaligned splits crossing pages",
0435         .src_divs = {
0436             {
0437                 .proportion_of_total = 7500,
0438                 .offset = PAGE_SIZE - 32,
0439             }, {
0440                 .proportion_of_total = 2500,
0441                 .offset = PAGE_SIZE - 7,
0442             },
0443         },
0444         .finalization_type = FINALIZATION_TYPE_DIGEST,
0445     }, {
0446         .name = "import/export",
0447         .src_divs = {
0448             {
0449                 .proportion_of_total = 6500,
0450                 .flush_type = FLUSH_TYPE_REIMPORT,
0451             }, {
0452                 .proportion_of_total = 3500,
0453                 .flush_type = FLUSH_TYPE_REIMPORT,
0454             },
0455         },
0456         .finalization_type = FINALIZATION_TYPE_FINAL,
0457     }
0458 };
0459
0460 static unsigned int count_test_sg_divisions(const struct test_sg_division *divs)
0461 {
0462     unsigned int remaining = TEST_SG_TOTAL;
0463     unsigned int ndivs = 0;
0464
0465     do {
0466         remaining -= divs[ndivs++].proportion_of_total;
0467     } while (remaining);
0468
0469     return ndivs;
0470 }
0471
0472 #define SGDIVS_HAVE_FLUSHES BIT(0)
0473 #define SGDIVS_HAVE_NOSIMD  BIT(1)
0474
0475 static bool valid_sg_divisions(const struct test_sg_division *divs,
0476                    unsigned int count, int *flags_ret)
0477 {
0478     unsigned int total = 0;
0479     unsigned int i;
0480
0481     for (i = 0; i < count && total != TEST_SG_TOTAL; i++) {
0482         if (divs[i].proportion_of_total <= 0 ||
0483             divs[i].proportion_of_total > TEST_SG_TOTAL - total)
0484             return false;
0485         total += divs[i].proportion_of_total;
0486         if (divs[i].flush_type != FLUSH_TYPE_NONE)
0487             *flags_ret |= SGDIVS_HAVE_FLUSHES;
0488         if (divs[i].nosimd)
0489             *flags_ret |= SGDIVS_HAVE_NOSIMD;
0490     }
0491     return total == TEST_SG_TOTAL &&
0492         memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL;
0493 }
0494
0495 /*
0496  * Check whether the given testvec_config is valid.  This isn't strictly needed
0497  * since every testvec_config should be valid, but check anyway so that people
0498  * don't unknowingly add broken configs that don't do what they wanted.
0499  */
0500 static bool valid_testvec_config(const struct testvec_config *cfg)
0501 {
0502     int flags = 0;
0503
0504     if (cfg->name == NULL)
0505         return false;
0506
0507     if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs),
0508                 &flags))
0509         return false;
0510
0511     if (cfg->dst_divs[0].proportion_of_total) {
0512         if (!valid_sg_divisions(cfg->dst_divs,
0513                     ARRAY_SIZE(cfg->dst_divs), &flags))
0514             return false;
0515     } else {
0516         if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs)))
0517             return false;
0518         /* defaults to dst_divs=src_divs */
0519     }
0520
0521     if (cfg->iv_offset +
0522         (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) >
0523         MAX_ALGAPI_ALIGNMASK + 1)
0524         return false;
0525
0526     if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) &&
0527         cfg->finalization_type == FINALIZATION_TYPE_DIGEST)
0528         return false;
0529
0530     if ((cfg->nosimd || (flags & SGDIVS_HAVE_NOSIMD)) &&
0531         (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP))
0532         return false;
0533
0534     return true;
0535 }
0536
0537 struct test_sglist {
0538     char *bufs[XBUFSIZE];
0539     struct scatterlist sgl[XBUFSIZE];
0540     struct scatterlist sgl_saved[XBUFSIZE];
0541     struct scatterlist *sgl_ptr;
0542     unsigned int nents;
0543 };
0544
0545 static int init_test_sglist(struct test_sglist *tsgl)
0546 {
0547     return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */);
0548 }
0549
0550 static void destroy_test_sglist(struct test_sglist *tsgl)
0551 {
0552     return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */);
0553 }
0554
0555 /**
0556  * build_test_sglist() - build a scatterlist for a crypto test
0557  *
0558  * @tsgl: the scatterlist to build.  @tsgl->bufs[] contains an array of 2-page
0559  *    buffers which the scatterlist @tsgl->sgl[] will be made to point into.
0560  * @divs: the layout specification on which the scatterlist will be based
0561  * @alignmask: the algorithm's alignmask
0562  * @total_len: the total length of the scatterlist to build in bytes
0563  * @data: if non-NULL, the buffers will be filled with this data until it ends.
0564  *    Otherwise the buffers will be poisoned.  In both cases, some bytes
0565  *    past the end of each buffer will be poisoned to help detect overruns.
0566  * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry
0567  *        corresponds will be returned here.  This will match @divs except
0568  *        that divisions resolving to a length of 0 are omitted as they are
0569  *        not included in the scatterlist.
0570  *
0571  * Return: 0 or a -errno value
0572  */
0573 static int build_test_sglist(struct test_sglist *tsgl,
0574                  const struct test_sg_division *divs,
0575                  const unsigned int alignmask,
0576                  const unsigned int total_len,
0577                  struct iov_iter *data,
0578                  const struct test_sg_division *out_divs[XBUFSIZE])
0579 {
0580     struct {
0581         const struct test_sg_division *div;
0582         size_t length;
0583     } partitions[XBUFSIZE];
0584     const unsigned int ndivs = count_test_sg_divisions(divs);
0585     unsigned int len_remaining = total_len;
0586     unsigned int i;
0587
0588     BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl));
0589     if (WARN_ON(ndivs > ARRAY_SIZE(partitions)))
0590         return -EINVAL;
0591
0592     /* Calculate the (div, length) pairs */
0593     tsgl->nents = 0;
0594     for (i = 0; i < ndivs; i++) {
0595         unsigned int len_this_sg =
0596             min(len_remaining,
0597                 (total_len * divs[i].proportion_of_total +
0598                  TEST_SG_TOTAL / 2) / TEST_SG_TOTAL);
0599
0600         if (len_this_sg != 0) {
0601             partitions[tsgl->nents].div = &divs[i];
0602             partitions[tsgl->nents].length = len_this_sg;
0603             tsgl->nents++;
0604             len_remaining -= len_this_sg;
0605         }
0606     }
0607     if (tsgl->nents == 0) {
0608         partitions[tsgl->nents].div = &divs[0];
0609         partitions[tsgl->nents].length = 0;
0610         tsgl->nents++;
0611     }
0612     partitions[tsgl->nents - 1].length += len_remaining;
0613
0614     /* Set up the sgl entries and fill the data or poison */
0615     sg_init_table(tsgl->sgl, tsgl->nents);
0616     for (i = 0; i < tsgl->nents; i++) {
0617         unsigned int offset = partitions[i].div->offset;
0618         void *addr;
0619
0620         if (partitions[i].div->offset_relative_to_alignmask)
0621             offset += alignmask;
0622
0623         while (offset + partitions[i].length + TESTMGR_POISON_LEN >
0624                2 * PAGE_SIZE) {
0625             if (WARN_ON(offset <= 0))
0626                 return -EINVAL;
0627             offset /= 2;
0628         }
0629
0630         addr = &tsgl->bufs[i][offset];
0631         sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length);
0632
0633         if (out_divs)
0634             out_divs[i] = partitions[i].div;
0635
0636         if (data) {
0637             size_t copy_len, copied;
0638
0639             copy_len = min(partitions[i].length, data->count);
0640             copied = copy_from_iter(addr, copy_len, data);
0641             if (WARN_ON(copied != copy_len))
0642                 return -EINVAL;
0643             testmgr_poison(addr + copy_len, partitions[i].length +
0644                        TESTMGR_POISON_LEN - copy_len);
0645         } else {
0646             testmgr_poison(addr, partitions[i].length +
0647                        TESTMGR_POISON_LEN);
0648         }
0649     }
0650
0651     sg_mark_end(&tsgl->sgl[tsgl->nents - 1]);
0652     tsgl->sgl_ptr = tsgl->sgl;
0653     memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0]));
0654     return 0;
0655 }
0656
0657 /*
0658  * Verify that a scatterlist crypto operation produced the correct output.
0659  *
0660  * @tsgl: scatterlist containing the actual output
0661  * @expected_output: buffer containing the expected output
0662  * @len_to_check: length of @expected_output in bytes
0663  * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result
0664  * @check_poison: verify that the poison bytes after each chunk are intact?
0665  *
0666  * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun.
0667  */
0668 static int verify_correct_output(const struct test_sglist *tsgl,
0669                  const char *expected_output,
0670                  unsigned int len_to_check,
0671                  unsigned int unchecked_prefix_len,
0672                  bool check_poison)
0673 {
0674     unsigned int i;
0675
0676     for (i = 0; i < tsgl->nents; i++) {
0677         struct scatterlist *sg = &tsgl->sgl_ptr[i];
0678         unsigned int len = sg->length;
0679         unsigned int offset = sg->offset;
0680         const char *actual_output;
0681
0682         if (unchecked_prefix_len) {
0683             if (unchecked_prefix_len >= len) {
0684                 unchecked_prefix_len -= len;
0685                 continue;
0686             }
0687             offset += unchecked_prefix_len;
0688             len -= unchecked_prefix_len;
0689             unchecked_prefix_len = 0;
0690         }
0691         len = min(len, len_to_check);
0692         actual_output = page_address(sg_page(sg)) + offset;
0693         if (memcmp(expected_output, actual_output, len) != 0)
0694             return -EINVAL;
0695         if (check_poison &&
0696             !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN))
0697             return -EOVERFLOW;
0698         len_to_check -= len;
0699         expected_output += len;
0700     }
0701     if (WARN_ON(len_to_check != 0))
0702         return -EINVAL;
0703     return 0;
0704 }
0705
0706 static bool is_test_sglist_corrupted(const struct test_sglist *tsgl)
0707 {
0708     unsigned int i;
0709
0710     for (i = 0; i < tsgl->nents; i++) {
0711         if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link)
0712             return true;
0713         if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset)
0714             return true;
0715         if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length)
0716             return true;
0717     }
0718     return false;
0719 }
0720
0721 struct cipher_test_sglists {
0722     struct test_sglist src;
0723     struct test_sglist dst;
0724 };
0725
0726 static struct cipher_test_sglists *alloc_cipher_test_sglists(void)
0727 {
0728     struct cipher_test_sglists *tsgls;
0729
0730     tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL);
0731     if (!tsgls)
0732         return NULL;
0733
0734     if (init_test_sglist(&tsgls->src) != 0)
0735         goto fail_kfree;
0736     if (init_test_sglist(&tsgls->dst) != 0)
0737         goto fail_destroy_src;
0738
0739     return tsgls;
0740
0741 fail_destroy_src:
0742     destroy_test_sglist(&tsgls->src);
0743 fail_kfree:
0744     kfree(tsgls);
0745     return NULL;
0746 }
0747
0748 static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls)
0749 {
0750     if (tsgls) {
0751         destroy_test_sglist(&tsgls->src);
0752         destroy_test_sglist(&tsgls->dst);
0753         kfree(tsgls);
0754     }
0755 }
0756
0757 /* Build the src and dst scatterlists for an skcipher or AEAD test */
0758 static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls,
0759                      const struct testvec_config *cfg,
0760                      unsigned int alignmask,
0761                      unsigned int src_total_len,
0762                      unsigned int dst_total_len,
0763                      const struct kvec *inputs,
0764                      unsigned int nr_inputs)
0765 {
0766     struct iov_iter input;
0767     int err;
0768
0769     iov_iter_kvec(&input, WRITE, inputs, nr_inputs, src_total_len);
0770     err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
0771                 cfg->inplace_mode != OUT_OF_PLACE ?
0772                     max(dst_total_len, src_total_len) :
0773                     src_total_len,
0774                 &input, NULL);
0775     if (err)
0776         return err;
0777
0778     /*
0779      * In-place crypto operations can use the same scatterlist for both the
0780      * source and destination (req->src == req->dst), or can use separate
0781      * scatterlists (req->src != req->dst) which point to the same
0782      * underlying memory.  Make sure to test both cases.
0783      */
0784     if (cfg->inplace_mode == INPLACE_ONE_SGLIST) {
0785         tsgls->dst.sgl_ptr = tsgls->src.sgl;
0786         tsgls->dst.nents = tsgls->src.nents;
0787         return 0;
0788     }
0789     if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) {
0790         /*
0791          * For now we keep it simple and only test the case where the
0792          * two scatterlists have identical entries, rather than
0793          * different entries that split up the same memory differently.
0794          */
0795         memcpy(tsgls->dst.sgl, tsgls->src.sgl,
0796                tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
0797         memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl,
0798                tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
0799         tsgls->dst.sgl_ptr = tsgls->dst.sgl;
0800         tsgls->dst.nents = tsgls->src.nents;
0801         return 0;
0802     }
0803     /* Out of place */
0804     return build_test_sglist(&tsgls->dst,
0805                  cfg->dst_divs[0].proportion_of_total ?
0806                     cfg->dst_divs : cfg->src_divs,
0807                  alignmask, dst_total_len, NULL, NULL);
0808 }
0809
0810 /*
0811  * Support for testing passing a misaligned key to setkey():
0812  *
0813  * If cfg->key_offset is set, copy the key into a new buffer at that offset,
0814  * optionally adding alignmask.  Else, just use the key directly.
0815  */
0816 static int prepare_keybuf(const u8 *key, unsigned int ksize,
0817               const struct testvec_config *cfg,
0818               unsigned int alignmask,
0819               const u8 **keybuf_ret, const u8 **keyptr_ret)
0820 {
0821     unsigned int key_offset = cfg->key_offset;
0822     u8 *keybuf = NULL, *keyptr = (u8 *)key;
0823
0824     if (key_offset != 0) {
0825         if (cfg->key_offset_relative_to_alignmask)
0826             key_offset += alignmask;
0827         keybuf = kmalloc(key_offset + ksize, GFP_KERNEL);
0828         if (!keybuf)
0829             return -ENOMEM;
0830         keyptr = keybuf + key_offset;
0831         memcpy(keyptr, key, ksize);
0832     }
0833     *keybuf_ret = keybuf;
0834     *keyptr_ret = keyptr;
0835     return 0;
0836 }
0837
0838 /* Like setkey_f(tfm, key, ksize), but sometimes misalign the key */
0839 #define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask)        \
0840 ({                                  \
0841     const u8 *keybuf, *keyptr;                  \
0842     int err;                            \
0843                                     \
0844     err = prepare_keybuf((key), (ksize), (cfg), (alignmask),    \
0845                  &keybuf, &keyptr);             \
0846     if (err == 0) {                         \
0847         err = setkey_f((tfm), keyptr, (ksize));         \
0848         kfree(keybuf);                      \
0849     }                               \
0850     err;                                \
0851 })
0852
0853 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
0854
0855 /* Generate a random length in range [0, max_len], but prefer smaller values */
0856 static unsigned int generate_random_length(unsigned int max_len)
0857 {
0858     unsigned int len = prandom_u32() % (max_len + 1);
0859
0860     switch (prandom_u32() % 4) {
0861     case 0:
0862         return len % 64;
0863     case 1:
0864         return len % 256;
0865     case 2:
0866         return len % 1024;
0867     default:
0868         return len;
0869     }
0870 }
0871
0872 /* Flip a random bit in the given nonempty data buffer */
0873 static void flip_random_bit(u8 *buf, size_t size)
0874 {
0875     size_t bitpos;
0876
0877     bitpos = prandom_u32() % (size * 8);
0878     buf[bitpos / 8] ^= 1 << (bitpos % 8);
0879 }
0880
0881 /* Flip a random byte in the given nonempty data buffer */
0882 static void flip_random_byte(u8 *buf, size_t size)
0883 {
0884     buf[prandom_u32() % size] ^= 0xff;
0885 }
0886
0887 /* Sometimes make some random changes to the given nonempty data buffer */
0888 static void mutate_buffer(u8 *buf, size_t size)
0889 {
0890     size_t num_flips;
0891     size_t i;
0892
0893     /* Sometimes flip some bits */
0894     if (prandom_u32() % 4 == 0) {
0895         num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size * 8);
0896         for (i = 0; i < num_flips; i++)
0897             flip_random_bit(buf, size);
0898     }
0899
0900     /* Sometimes flip some bytes */
0901     if (prandom_u32() % 4 == 0) {
0902         num_flips = min_t(size_t, 1 << (prandom_u32() % 8), size);
0903         for (i = 0; i < num_flips; i++)
0904             flip_random_byte(buf, size);
0905     }
0906 }
0907
0908 /* Randomly generate 'count' bytes, but sometimes make them "interesting" */
0909 static void generate_random_bytes(u8 *buf, size_t count)
0910 {
0911     u8 b;
0912     u8 increment;
0913     size_t i;
0914
0915     if (count == 0)
0916         return;
0917
0918     switch (prandom_u32() % 8) { /* Choose a generation strategy */
0919     case 0:
0920     case 1:
0921         /* All the same byte, plus optional mutations */
0922         switch (prandom_u32() % 4) {
0923         case 0:
0924             b = 0x00;
0925             break;
0926         case 1:
0927             b = 0xff;
0928             break;
0929         default:
0930             b = (u8)prandom_u32();
0931             break;
0932         }
0933         memset(buf, b, count);
0934         mutate_buffer(buf, count);
0935         break;
0936     case 2:
0937         /* Ascending or descending bytes, plus optional mutations */
0938         increment = (u8)prandom_u32();
0939         b = (u8)prandom_u32();
0940         for (i = 0; i < count; i++, b += increment)
0941             buf[i] = b;
0942         mutate_buffer(buf, count);
0943         break;
0944     default:
0945         /* Fully random bytes */
0946         for (i = 0; i < count; i++)
0947             buf[i] = (u8)prandom_u32();
0948     }
0949 }
0950
0951 static char *generate_random_sgl_divisions(struct test_sg_division *divs,
0952                        size_t max_divs, char *p, char *end,
0953                        bool gen_flushes, u32 req_flags)
0954 {
0955     struct test_sg_division *div = divs;
0956     unsigned int remaining = TEST_SG_TOTAL;
0957
0958     do {
0959         unsigned int this_len;
0960         const char *flushtype_str;
0961
0962         if (div == &divs[max_divs - 1] || prandom_u32() % 2 == 0)
0963             this_len = remaining;
0964         else
0965             this_len = 1 + (prandom_u32() % remaining);
0966         div->proportion_of_total = this_len;
0967
0968         if (prandom_u32() % 4 == 0)
0969             div->offset = (PAGE_SIZE - 128) + (prandom_u32() % 128);
0970         else if (prandom_u32() % 2 == 0)
0971             div->offset = prandom_u32() % 32;
0972         else
0973             div->offset = prandom_u32() % PAGE_SIZE;
0974         if (prandom_u32() % 8 == 0)
0975             div->offset_relative_to_alignmask = true;
0976
0977         div->flush_type = FLUSH_TYPE_NONE;
0978         if (gen_flushes) {
0979             switch (prandom_u32() % 4) {
0980             case 0:
0981                 div->flush_type = FLUSH_TYPE_REIMPORT;
0982                 break;
0983             case 1:
0984                 div->flush_type = FLUSH_TYPE_FLUSH;
0985                 break;
0986             }
0987         }
0988
0989         if (div->flush_type != FLUSH_TYPE_NONE &&
0990             !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
0991             prandom_u32() % 2 == 0)
0992             div->nosimd = true;
0993
0994         switch (div->flush_type) {
0995         case FLUSH_TYPE_FLUSH:
0996             if (div->nosimd)
0997                 flushtype_str = "<flush,nosimd>";
0998             else
0999                 flushtype_str = "<flush>";
1000             break;
1001         case FLUSH_TYPE_REIMPORT:
1002             if (div->nosimd)
1003                 flushtype_str = "<reimport,nosimd>";
1004             else
1005                 flushtype_str = "<reimport>";
1006             break;
1007         default:
1008             flushtype_str = "";
1009             break;
1010         }
1011
1012         BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */
1013         p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s", flushtype_str,
1014                    this_len / 100, this_len % 100,
1015                    div->offset_relative_to_alignmask ?
1016                     "alignmask" : "",
1017                    div->offset, this_len == remaining ? "" : ", ");
1018         remaining -= this_len;
1019         div++;
1020     } while (remaining);
1021
1022     return p;
1023 }
1024
1025 /* Generate a random testvec_config for fuzz testing */
1026 static void generate_random_testvec_config(struct testvec_config *cfg,
1027                        char *name, size_t max_namelen)
1028 {
1029     char *p = name;
1030     char * const end = name + max_namelen;
1031
1032     memset(cfg, 0, sizeof(*cfg));
1033
1034     cfg->name = name;
1035
1036     p += scnprintf(p, end - p, "random:");
1037
1038     switch (prandom_u32() % 4) {
1039     case 0:
1040     case 1:
1041         cfg->inplace_mode = OUT_OF_PLACE;
1042         break;
1043     case 2:
1044         cfg->inplace_mode = INPLACE_ONE_SGLIST;
1045         p += scnprintf(p, end - p, " inplace_one_sglist");
1046         break;
1047     default:
1048         cfg->inplace_mode = INPLACE_TWO_SGLISTS;
1049         p += scnprintf(p, end - p, " inplace_two_sglists");
1050         break;
1051     }
1052
1053     if (prandom_u32() % 2 == 0) {
1054         cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP;
1055         p += scnprintf(p, end - p, " may_sleep");
1056     }
1057
1058     switch (prandom_u32() % 4) {
1059     case 0:
1060         cfg->finalization_type = FINALIZATION_TYPE_FINAL;
1061         p += scnprintf(p, end - p, " use_final");
1062         break;
1063     case 1:
1064         cfg->finalization_type = FINALIZATION_TYPE_FINUP;
1065         p += scnprintf(p, end - p, " use_finup");
1066         break;
1067     default:
1068         cfg->finalization_type = FINALIZATION_TYPE_DIGEST;
1069         p += scnprintf(p, end - p, " use_digest");
1070         break;
1071     }
1072
1073     if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
1074         prandom_u32() % 2 == 0) {
1075         cfg->nosimd = true;
1076         p += scnprintf(p, end - p, " nosimd");
1077     }
1078
1079     p += scnprintf(p, end - p, " src_divs=[");
1080     p = generate_random_sgl_divisions(cfg->src_divs,
1081                       ARRAY_SIZE(cfg->src_divs), p, end,
1082                       (cfg->finalization_type !=
1083                        FINALIZATION_TYPE_DIGEST),
1084                       cfg->req_flags);
1085     p += scnprintf(p, end - p, "]");
1086
1087     if (cfg->inplace_mode == OUT_OF_PLACE && prandom_u32() % 2 == 0) {
1088         p += scnprintf(p, end - p, " dst_divs=[");
1089         p = generate_random_sgl_divisions(cfg->dst_divs,
1090                           ARRAY_SIZE(cfg->dst_divs),
1091                           p, end, false,
1092                           cfg->req_flags);
1093         p += scnprintf(p, end - p, "]");
1094     }
1095
1096     if (prandom_u32() % 2 == 0) {
1097         cfg->iv_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
1098         p += scnprintf(p, end - p, " iv_offset=%u", cfg->iv_offset);
1099     }
1100
1101     if (prandom_u32() % 2 == 0) {
1102         cfg->key_offset = 1 + (prandom_u32() % MAX_ALGAPI_ALIGNMASK);
1103         p += scnprintf(p, end - p, " key_offset=%u", cfg->key_offset);
1104     }
1105
1106     WARN_ON_ONCE(!valid_testvec_config(cfg));
1107 }
1108
1109 static void crypto_disable_simd_for_test(void)
1110 {
1111     migrate_disable();
1112     __this_cpu_write(crypto_simd_disabled_for_test, true);
1113 }
1114
1115 static void crypto_reenable_simd_for_test(void)
1116 {
1117     __this_cpu_write(crypto_simd_disabled_for_test, false);
1118     migrate_enable();
1119 }
1120
1121 /*
1122  * Given an algorithm name, build the name of the generic implementation of that
1123  * algorithm, assuming the usual naming convention.  Specifically, this appends
1124  * "-generic" to every part of the name that is not a template name.  Examples:
1125  *
1126  *  aes => aes-generic
1127  *  cbc(aes) => cbc(aes-generic)
1128  *  cts(cbc(aes)) => cts(cbc(aes-generic))
1129  *  rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic)
1130  *
1131  * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long
1132  */
1133 static int build_generic_driver_name(const char *algname,
1134                      char driver_name[CRYPTO_MAX_ALG_NAME])
1135 {
1136     const char *in = algname;
1137     char *out = driver_name;
1138     size_t len = strlen(algname);
1139
1140     if (len >= CRYPTO_MAX_ALG_NAME)
1141         goto too_long;
1142     do {
1143         const char *in_saved = in;
1144
1145         while (*in && *in != '(' && *in != ')' && *in != ',')
1146             *out++ = *in++;
1147         if (*in != '(' && in > in_saved) {
1148             len += 8;
1149             if (len >= CRYPTO_MAX_ALG_NAME)
1150                 goto too_long;
1151             memcpy(out, "-generic", 8);
1152             out += 8;
1153         }
1154     } while ((*out++ = *in++) != '\0');
1155     return 0;
1156
1157 too_long:
1158     pr_err("alg: generic driver name for \"%s\" would be too long\n",
1159            algname);
1160     return -ENAMETOOLONG;
1161 }
1162 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1163 static void crypto_disable_simd_for_test(void)
1164 {
1165 }
1166
1167 static void crypto_reenable_simd_for_test(void)
1168 {
1169 }
1170 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1171
1172 static int build_hash_sglist(struct test_sglist *tsgl,
1173                  const struct hash_testvec *vec,
1174                  const struct testvec_config *cfg,
1175                  unsigned int alignmask,
1176                  const struct test_sg_division *divs[XBUFSIZE])
1177 {
1178     struct kvec kv;
1179     struct iov_iter input;
1180
1181     kv.iov_base = (void *)vec->plaintext;
1182     kv.iov_len = vec->psize;
1183     iov_iter_kvec(&input, WRITE, &kv, 1, vec->psize);
1184     return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
1185                  &input, divs);
1186 }
1187
1188 static int check_hash_result(const char *type,
1189                  const u8 *result, unsigned int digestsize,
1190                  const struct hash_testvec *vec,
1191                  const char *vec_name,
1192                  const char *driver,
1193                  const struct testvec_config *cfg)
1194 {
1195     if (memcmp(result, vec->digest, digestsize) != 0) {
1196         pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
1197                type, driver, vec_name, cfg->name);
1198         return -EINVAL;
1199     }
1200     if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) {
1201         pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n",
1202                type, driver, vec_name, cfg->name);
1203         return -EOVERFLOW;
1204     }
1205     return 0;
1206 }
1207
1208 static inline int check_shash_op(const char *op, int err,
1209                  const char *driver, const char *vec_name,
1210                  const struct testvec_config *cfg)
1211 {
1212     if (err)
1213         pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1214                driver, op, err, vec_name, cfg->name);
1215     return err;
1216 }
1217
1218 /* Test one hash test vector in one configuration, using the shash API */
1219 static int test_shash_vec_cfg(const struct hash_testvec *vec,
1220                   const char *vec_name,
1221                   const struct testvec_config *cfg,
1222                   struct shash_desc *desc,
1223                   struct test_sglist *tsgl,
1224                   u8 *hashstate)
1225 {
1226     struct crypto_shash *tfm = desc->tfm;
1227     const unsigned int alignmask = crypto_shash_alignmask(tfm);
1228     const unsigned int digestsize = crypto_shash_digestsize(tfm);
1229     const unsigned int statesize = crypto_shash_statesize(tfm);
1230     const char *driver = crypto_shash_driver_name(tfm);
1231     const struct test_sg_division *divs[XBUFSIZE];
1232     unsigned int i;
1233     u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1234     int err;
1235
1236     /* Set the key, if specified */
1237     if (vec->ksize) {
1238         err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize,
1239                 cfg, alignmask);
1240         if (err) {
1241             if (err == vec->setkey_error)
1242                 return 0;
1243             pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1244                    driver, vec_name, vec->setkey_error, err,
1245                    crypto_shash_get_flags(tfm));
1246             return err;
1247         }
1248         if (vec->setkey_error) {
1249             pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1250                    driver, vec_name, vec->setkey_error);
1251             return -EINVAL;
1252         }
1253     }
1254
1255     /* Build the scatterlist for the source data */
1256     err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1257     if (err) {
1258         pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1259                driver, vec_name, cfg->name);
1260         return err;
1261     }
1262
1263     /* Do the actual hashing */
1264
1265     testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1266     testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1267
1268     if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1269         vec->digest_error) {
1270         /* Just using digest() */
1271         if (tsgl->nents != 1)
1272             return 0;
1273         if (cfg->nosimd)
1274             crypto_disable_simd_for_test();
1275         err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]),
1276                       tsgl->sgl[0].length, result);
1277         if (cfg->nosimd)
1278             crypto_reenable_simd_for_test();
1279         if (err) {
1280             if (err == vec->digest_error)
1281                 return 0;
1282             pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1283                    driver, vec_name, vec->digest_error, err,
1284                    cfg->name);
1285             return err;
1286         }
1287         if (vec->digest_error) {
1288             pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1289                    driver, vec_name, vec->digest_error, cfg->name);
1290             return -EINVAL;
1291         }
1292         goto result_ready;
1293     }
1294
1295     /* Using init(), zero or more update(), then final() or finup() */
1296
1297     if (cfg->nosimd)
1298         crypto_disable_simd_for_test();
1299     err = crypto_shash_init(desc);
1300     if (cfg->nosimd)
1301         crypto_reenable_simd_for_test();
1302     err = check_shash_op("init", err, driver, vec_name, cfg);
1303     if (err)
1304         return err;
1305
1306     for (i = 0; i < tsgl->nents; i++) {
1307         if (i + 1 == tsgl->nents &&
1308             cfg->finalization_type == FINALIZATION_TYPE_FINUP) {
1309             if (divs[i]->nosimd)
1310                 crypto_disable_simd_for_test();
1311             err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]),
1312                          tsgl->sgl[i].length, result);
1313             if (divs[i]->nosimd)
1314                 crypto_reenable_simd_for_test();
1315             err = check_shash_op("finup", err, driver, vec_name,
1316                          cfg);
1317             if (err)
1318                 return err;
1319             goto result_ready;
1320         }
1321         if (divs[i]->nosimd)
1322             crypto_disable_simd_for_test();
1323         err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]),
1324                       tsgl->sgl[i].length);
1325         if (divs[i]->nosimd)
1326             crypto_reenable_simd_for_test();
1327         err = check_shash_op("update", err, driver, vec_name, cfg);
1328         if (err)
1329             return err;
1330         if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1331             /* Test ->export() and ->import() */
1332             testmgr_poison(hashstate + statesize,
1333                        TESTMGR_POISON_LEN);
1334             err = crypto_shash_export(desc, hashstate);
1335             err = check_shash_op("export", err, driver, vec_name,
1336                          cfg);
1337             if (err)
1338                 return err;
1339             if (!testmgr_is_poison(hashstate + statesize,
1340                            TESTMGR_POISON_LEN)) {
1341                 pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1342                        driver, vec_name, cfg->name);
1343                 return -EOVERFLOW;
1344             }
1345             testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1346             err = crypto_shash_import(desc, hashstate);
1347             err = check_shash_op("import", err, driver, vec_name,
1348                          cfg);
1349             if (err)
1350                 return err;
1351         }
1352     }
1353
1354     if (cfg->nosimd)
1355         crypto_disable_simd_for_test();
1356     err = crypto_shash_final(desc, result);
1357     if (cfg->nosimd)
1358         crypto_reenable_simd_for_test();
1359     err = check_shash_op("final", err, driver, vec_name, cfg);
1360     if (err)
1361         return err;
1362 result_ready:
1363     return check_hash_result("shash", result, digestsize, vec, vec_name,
1364                  driver, cfg);
1365 }
1366
1367 static int do_ahash_op(int (*op)(struct ahash_request *req),
1368                struct ahash_request *req,
1369                struct crypto_wait *wait, bool nosimd)
1370 {
1371     int err;
1372
1373     if (nosimd)
1374         crypto_disable_simd_for_test();
1375
1376     err = op(req);
1377
1378     if (nosimd)
1379         crypto_reenable_simd_for_test();
1380
1381     return crypto_wait_req(err, wait);
1382 }
1383
1384 static int check_nonfinal_ahash_op(const char *op, int err,
1385                    u8 *result, unsigned int digestsize,
1386                    const char *driver, const char *vec_name,
1387                    const struct testvec_config *cfg)
1388 {
1389     if (err) {
1390         pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1391                driver, op, err, vec_name, cfg->name);
1392         return err;
1393     }
1394     if (!testmgr_is_poison(result, digestsize)) {
1395         pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n",
1396                driver, op, vec_name, cfg->name);
1397         return -EINVAL;
1398     }
1399     return 0;
1400 }
1401
1402 /* Test one hash test vector in one configuration, using the ahash API */
1403 static int test_ahash_vec_cfg(const struct hash_testvec *vec,
1404                   const char *vec_name,
1405                   const struct testvec_config *cfg,
1406                   struct ahash_request *req,
1407                   struct test_sglist *tsgl,
1408                   u8 *hashstate)
1409 {
1410     struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1411     const unsigned int alignmask = crypto_ahash_alignmask(tfm);
1412     const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1413     const unsigned int statesize = crypto_ahash_statesize(tfm);
1414     const char *driver = crypto_ahash_driver_name(tfm);
1415     const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1416     const struct test_sg_division *divs[XBUFSIZE];
1417     DECLARE_CRYPTO_WAIT(wait);
1418     unsigned int i;
1419     struct scatterlist *pending_sgl;
1420     unsigned int pending_len;
1421     u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1422     int err;
1423
1424     /* Set the key, if specified */
1425     if (vec->ksize) {
1426         err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize,
1427                 cfg, alignmask);
1428         if (err) {
1429             if (err == vec->setkey_error)
1430                 return 0;
1431             pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1432                    driver, vec_name, vec->setkey_error, err,
1433                    crypto_ahash_get_flags(tfm));
1434             return err;
1435         }
1436         if (vec->setkey_error) {
1437             pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1438                    driver, vec_name, vec->setkey_error);
1439             return -EINVAL;
1440         }
1441     }
1442
1443     /* Build the scatterlist for the source data */
1444     err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1445     if (err) {
1446         pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1447                driver, vec_name, cfg->name);
1448         return err;
1449     }
1450
1451     /* Do the actual hashing */
1452
1453     testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1454     testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1455
1456     if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1457         vec->digest_error) {
1458         /* Just using digest() */
1459         ahash_request_set_callback(req, req_flags, crypto_req_done,
1460                        &wait);
1461         ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize);
1462         err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd);
1463         if (err) {
1464             if (err == vec->digest_error)
1465                 return 0;
1466             pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1467                    driver, vec_name, vec->digest_error, err,
1468                    cfg->name);
1469             return err;
1470         }
1471         if (vec->digest_error) {
1472             pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1473                    driver, vec_name, vec->digest_error, cfg->name);
1474             return -EINVAL;
1475         }
1476         goto result_ready;
1477     }
1478
1479     /* Using init(), zero or more update(), then final() or finup() */
1480
1481     ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1482     ahash_request_set_crypt(req, NULL, result, 0);
1483     err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd);
1484     err = check_nonfinal_ahash_op("init", err, result, digestsize,
1485                       driver, vec_name, cfg);
1486     if (err)
1487         return err;
1488
1489     pending_sgl = NULL;
1490     pending_len = 0;
1491     for (i = 0; i < tsgl->nents; i++) {
1492         if (divs[i]->flush_type != FLUSH_TYPE_NONE &&
1493             pending_sgl != NULL) {
1494             /* update() with the pending data */
1495             ahash_request_set_callback(req, req_flags,
1496                            crypto_req_done, &wait);
1497             ahash_request_set_crypt(req, pending_sgl, result,
1498                         pending_len);
1499             err = do_ahash_op(crypto_ahash_update, req, &wait,
1500                       divs[i]->nosimd);
1501             err = check_nonfinal_ahash_op("update", err,
1502                               result, digestsize,
1503                               driver, vec_name, cfg);
1504             if (err)
1505                 return err;
1506             pending_sgl = NULL;
1507             pending_len = 0;
1508         }
1509         if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1510             /* Test ->export() and ->import() */
1511             testmgr_poison(hashstate + statesize,
1512                        TESTMGR_POISON_LEN);
1513             err = crypto_ahash_export(req, hashstate);
1514             err = check_nonfinal_ahash_op("export", err,
1515                               result, digestsize,
1516                               driver, vec_name, cfg);
1517             if (err)
1518                 return err;
1519             if (!testmgr_is_poison(hashstate + statesize,
1520                            TESTMGR_POISON_LEN)) {
1521                 pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1522                        driver, vec_name, cfg->name);
1523                 return -EOVERFLOW;
1524             }
1525
1526             testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1527             err = crypto_ahash_import(req, hashstate);
1528             err = check_nonfinal_ahash_op("import", err,
1529                               result, digestsize,
1530                               driver, vec_name, cfg);
1531             if (err)
1532                 return err;
1533         }
1534         if (pending_sgl == NULL)
1535             pending_sgl = &tsgl->sgl[i];
1536         pending_len += tsgl->sgl[i].length;
1537     }
1538
1539     ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1540     ahash_request_set_crypt(req, pending_sgl, result, pending_len);
1541     if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) {
1542         /* finish with update() and final() */
1543         err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd);
1544         err = check_nonfinal_ahash_op("update", err, result, digestsize,
1545                           driver, vec_name, cfg);
1546         if (err)
1547             return err;
1548         err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd);
1549         if (err) {
1550             pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n",
1551                    driver, err, vec_name, cfg->name);
1552             return err;
1553         }
1554     } else {
1555         /* finish with finup() */
1556         err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd);
1557         if (err) {
1558             pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n",
1559                    driver, err, vec_name, cfg->name);
1560             return err;
1561         }
1562     }
1563
1564 result_ready:
1565     return check_hash_result("ahash", result, digestsize, vec, vec_name,
1566                  driver, cfg);
1567 }
1568
1569 static int test_hash_vec_cfg(const struct hash_testvec *vec,
1570                  const char *vec_name,
1571                  const struct testvec_config *cfg,
1572                  struct ahash_request *req,
1573                  struct shash_desc *desc,
1574                  struct test_sglist *tsgl,
1575                  u8 *hashstate)
1576 {
1577     int err;
1578
1579     /*
1580      * For algorithms implemented as "shash", most bugs will be detected by
1581      * both the shash and ahash tests.  Test the shash API first so that the
1582      * failures involve less indirection, so are easier to debug.
1583      */
1584
1585     if (desc) {
1586         err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl,
1587                      hashstate);
1588         if (err)
1589             return err;
1590     }
1591
1592     return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate);
1593 }
1594
1595 static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num,
1596              struct ahash_request *req, struct shash_desc *desc,
1597              struct test_sglist *tsgl, u8 *hashstate)
1598 {
1599     char vec_name[16];
1600     unsigned int i;
1601     int err;
1602
1603     sprintf(vec_name, "%u", vec_num);
1604
1605     for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) {
1606         err = test_hash_vec_cfg(vec, vec_name,
1607                     &default_hash_testvec_configs[i],
1608                     req, desc, tsgl, hashstate);
1609         if (err)
1610             return err;
1611     }
1612
1613 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1614     if (!noextratests) {
1615         struct testvec_config cfg;
1616         char cfgname[TESTVEC_CONFIG_NAMELEN];
1617
1618         for (i = 0; i < fuzz_iterations; i++) {
1619             generate_random_testvec_config(&cfg, cfgname,
1620                                sizeof(cfgname));
1621             err = test_hash_vec_cfg(vec, vec_name, &cfg,
1622                         req, desc, tsgl, hashstate);
1623             if (err)
1624                 return err;
1625             cond_resched();
1626         }
1627     }
1628 #endif
1629     return 0;
1630 }
1631
1632 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1633 /*
1634  * Generate a hash test vector from the given implementation.
1635  * Assumes the buffers in 'vec' were already allocated.
1636  */
1637 static void generate_random_hash_testvec(struct shash_desc *desc,
1638                      struct hash_testvec *vec,
1639                      unsigned int maxkeysize,
1640                      unsigned int maxdatasize,
1641                      char *name, size_t max_namelen)
1642 {
1643     /* Data */
1644     vec->psize = generate_random_length(maxdatasize);
1645     generate_random_bytes((u8 *)vec->plaintext, vec->psize);
1646
1647     /*
1648      * Key: length in range [1, maxkeysize], but usually choose maxkeysize.
1649      * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0.
1650      */
1651     vec->setkey_error = 0;
1652     vec->ksize = 0;
1653     if (maxkeysize) {
1654         vec->ksize = maxkeysize;
1655         if (prandom_u32() % 4 == 0)
1656             vec->ksize = 1 + (prandom_u32() % maxkeysize);
1657         generate_random_bytes((u8 *)vec->key, vec->ksize);
1658
1659         vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key,
1660                             vec->ksize);
1661         /* If the key couldn't be set, no need to continue to digest. */
1662         if (vec->setkey_error)
1663             goto done;
1664     }
1665
1666     /* Digest */
1667     vec->digest_error = crypto_shash_digest(desc, vec->plaintext,
1668                         vec->psize, (u8 *)vec->digest);
1669 done:
1670     snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"",
1671          vec->psize, vec->ksize);
1672 }
1673
1674 /*
1675  * Test the hash algorithm represented by @req against the corresponding generic
1676  * implementation, if one is available.
1677  */
1678 static int test_hash_vs_generic_impl(const char *generic_driver,
1679                      unsigned int maxkeysize,
1680                      struct ahash_request *req,
1681                      struct shash_desc *desc,
1682                      struct test_sglist *tsgl,
1683                      u8 *hashstate)
1684 {
1685     struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1686     const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1687     const unsigned int blocksize = crypto_ahash_blocksize(tfm);
1688     const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
1689     const char *algname = crypto_hash_alg_common(tfm)->base.cra_name;
1690     const char *driver = crypto_ahash_driver_name(tfm);
1691     char _generic_driver[CRYPTO_MAX_ALG_NAME];
1692     struct crypto_shash *generic_tfm = NULL;
1693     struct shash_desc *generic_desc = NULL;
1694     unsigned int i;
1695     struct hash_testvec vec = { 0 };
1696     char vec_name[64];
1697     struct testvec_config *cfg;
1698     char cfgname[TESTVEC_CONFIG_NAMELEN];
1699     int err;
1700
1701     if (noextratests)
1702         return 0;
1703
1704     if (!generic_driver) { /* Use default naming convention? */
1705         err = build_generic_driver_name(algname, _generic_driver);
1706         if (err)
1707             return err;
1708         generic_driver = _generic_driver;
1709     }
1710
1711     if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
1712         return 0;
1713
1714     generic_tfm = crypto_alloc_shash(generic_driver, 0, 0);
1715     if (IS_ERR(generic_tfm)) {
1716         err = PTR_ERR(generic_tfm);
1717         if (err == -ENOENT) {
1718             pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n",
1719                 driver, generic_driver);
1720             return 0;
1721         }
1722         pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n",
1723                generic_driver, algname, err);
1724         return err;
1725     }
1726
1727     cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
1728     if (!cfg) {
1729         err = -ENOMEM;
1730         goto out;
1731     }
1732
1733     generic_desc = kzalloc(sizeof(*desc) +
1734                    crypto_shash_descsize(generic_tfm), GFP_KERNEL);
1735     if (!generic_desc) {
1736         err = -ENOMEM;
1737         goto out;
1738     }
1739     generic_desc->tfm = generic_tfm;
1740
1741     /* Check the algorithm properties for consistency. */
1742
1743     if (digestsize != crypto_shash_digestsize(generic_tfm)) {
1744         pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n",
1745                driver, digestsize,
1746                crypto_shash_digestsize(generic_tfm));
1747         err = -EINVAL;
1748         goto out;
1749     }
1750
1751     if (blocksize != crypto_shash_blocksize(generic_tfm)) {
1752         pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n",
1753                driver, blocksize, crypto_shash_blocksize(generic_tfm));
1754         err = -EINVAL;
1755         goto out;
1756     }
1757
1758     /*
1759      * Now generate test vectors using the generic implementation, and test
1760      * the other implementation against them.
1761      */
1762
1763     vec.key = kmalloc(maxkeysize, GFP_KERNEL);
1764     vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL);
1765     vec.digest = kmalloc(digestsize, GFP_KERNEL);
1766     if (!vec.key || !vec.plaintext || !vec.digest) {
1767         err = -ENOMEM;
1768         goto out;
1769     }
1770
1771     for (i = 0; i < fuzz_iterations * 8; i++) {
1772         generate_random_hash_testvec(generic_desc, &vec,
1773                          maxkeysize, maxdatasize,
1774                          vec_name, sizeof(vec_name));
1775         generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
1776
1777         err = test_hash_vec_cfg(&vec, vec_name, cfg,
1778                     req, desc, tsgl, hashstate);
1779         if (err)
1780             goto out;
1781         cond_resched();
1782     }
1783     err = 0;
1784 out:
1785     kfree(cfg);
1786     kfree(vec.key);
1787     kfree(vec.plaintext);
1788     kfree(vec.digest);
1789     crypto_free_shash(generic_tfm);
1790     kfree_sensitive(generic_desc);
1791     return err;
1792 }
1793 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1794 static int test_hash_vs_generic_impl(const char *generic_driver,
1795                      unsigned int maxkeysize,
1796                      struct ahash_request *req,
1797                      struct shash_desc *desc,
1798                      struct test_sglist *tsgl,
1799                      u8 *hashstate)
1800 {
1801     return 0;
1802 }
1803 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1804
1805 static int alloc_shash(const char *driver, u32 type, u32 mask,
1806                struct crypto_shash **tfm_ret,
1807                struct shash_desc **desc_ret)
1808 {
1809     struct crypto_shash *tfm;
1810     struct shash_desc *desc;
1811
1812     tfm = crypto_alloc_shash(driver, type, mask);
1813     if (IS_ERR(tfm)) {
1814         if (PTR_ERR(tfm) == -ENOENT) {
1815             /*
1816              * This algorithm is only available through the ahash
1817              * API, not the shash API, so skip the shash tests.
1818              */
1819             return 0;
1820         }
1821         pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n",
1822                driver, PTR_ERR(tfm));
1823         return PTR_ERR(tfm);
1824     }
1825
1826     desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
1827     if (!desc) {
1828         crypto_free_shash(tfm);
1829         return -ENOMEM;
1830     }
1831     desc->tfm = tfm;
1832
1833     *tfm_ret = tfm;
1834     *desc_ret = desc;
1835     return 0;
1836 }
1837
1838 static int __alg_test_hash(const struct hash_testvec *vecs,
1839                unsigned int num_vecs, const char *driver,
1840                u32 type, u32 mask,
1841                const char *generic_driver, unsigned int maxkeysize)
1842 {
1843     struct crypto_ahash *atfm = NULL;
1844     struct ahash_request *req = NULL;
1845     struct crypto_shash *stfm = NULL;
1846     struct shash_desc *desc = NULL;
1847     struct test_sglist *tsgl = NULL;
1848     u8 *hashstate = NULL;
1849     unsigned int statesize;
1850     unsigned int i;
1851     int err;
1852
1853     /*
1854      * Always test the ahash API.  This works regardless of whether the
1855      * algorithm is implemented as ahash or shash.
1856      */
1857
1858     atfm = crypto_alloc_ahash(driver, type, mask);
1859     if (IS_ERR(atfm)) {
1860         pr_err("alg: hash: failed to allocate transform for %s: %ld\n",
1861                driver, PTR_ERR(atfm));
1862         return PTR_ERR(atfm);
1863     }
1864     driver = crypto_ahash_driver_name(atfm);
1865
1866     req = ahash_request_alloc(atfm, GFP_KERNEL);
1867     if (!req) {
1868         pr_err("alg: hash: failed to allocate request for %s\n",
1869                driver);
1870         err = -ENOMEM;
1871         goto out;
1872     }
1873
1874     /*
1875      * If available also test the shash API, to cover corner cases that may
1876      * be missed by testing the ahash API only.
1877      */
1878     err = alloc_shash(driver, type, mask, &stfm, &desc);
1879     if (err)
1880         goto out;
1881
1882     tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL);
1883     if (!tsgl || init_test_sglist(tsgl) != 0) {
1884         pr_err("alg: hash: failed to allocate test buffers for %s\n",
1885                driver);
1886         kfree(tsgl);
1887         tsgl = NULL;
1888         err = -ENOMEM;
1889         goto out;
1890     }
1891
1892     statesize = crypto_ahash_statesize(atfm);
1893     if (stfm)
1894         statesize = max(statesize, crypto_shash_statesize(stfm));
1895     hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL);
1896     if (!hashstate) {
1897         pr_err("alg: hash: failed to allocate hash state buffer for %s\n",
1898                driver);
1899         err = -ENOMEM;
1900         goto out;
1901     }
1902
1903     for (i = 0; i < num_vecs; i++) {
1904         if (fips_enabled && vecs[i].fips_skip)
1905             continue;
1906
1907         err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
1908         if (err)
1909             goto out;
1910         cond_resched();
1911     }
1912     err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
1913                     desc, tsgl, hashstate);
1914 out:
1915     kfree(hashstate);
1916     if (tsgl) {
1917         destroy_test_sglist(tsgl);
1918         kfree(tsgl);
1919     }
1920     kfree(desc);
1921     crypto_free_shash(stfm);
1922     ahash_request_free(req);
1923     crypto_free_ahash(atfm);
1924     return err;
1925 }
1926
1927 static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
1928              u32 type, u32 mask)
1929 {
1930     const struct hash_testvec *template = desc->suite.hash.vecs;
1931     unsigned int tcount = desc->suite.hash.count;
1932     unsigned int nr_unkeyed, nr_keyed;
1933     unsigned int maxkeysize = 0;
1934     int err;
1935
1936     /*
1937      * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
1938      * first, before setting a key on the tfm.  To make this easier, we
1939      * require that the unkeyed test vectors (if any) are listed first.
1940      */
1941
1942     for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
1943         if (template[nr_unkeyed].ksize)
1944             break;
1945     }
1946     for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
1947         if (!template[nr_unkeyed + nr_keyed].ksize) {
1948             pr_err("alg: hash: test vectors for %s out of order, "
1949                    "unkeyed ones must come first\n", desc->alg);
1950             return -EINVAL;
1951         }
1952         maxkeysize = max_t(unsigned int, maxkeysize,
1953                    template[nr_unkeyed + nr_keyed].ksize);
1954     }
1955
1956     err = 0;
1957     if (nr_unkeyed) {
1958         err = __alg_test_hash(template, nr_unkeyed, driver, type, mask,
1959                       desc->generic_driver, maxkeysize);
1960         template += nr_unkeyed;
1961     }
1962
1963     if (!err && nr_keyed)
1964         err = __alg_test_hash(template, nr_keyed, driver, type, mask,
1965                       desc->generic_driver, maxkeysize);
1966
1967     return err;
1968 }
1969
1970 static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec,
1971                  const char *vec_name,
1972                  const struct testvec_config *cfg,
1973                  struct aead_request *req,
1974                  struct cipher_test_sglists *tsgls)
1975 {
1976     struct crypto_aead *tfm = crypto_aead_reqtfm(req);
1977     const unsigned int alignmask = crypto_aead_alignmask(tfm);
1978     const unsigned int ivsize = crypto_aead_ivsize(tfm);
1979     const unsigned int authsize = vec->clen - vec->plen;
1980     const char *driver = crypto_aead_driver_name(tfm);
1981     const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1982     const char *op = enc ? "encryption" : "decryption";
1983     DECLARE_CRYPTO_WAIT(wait);
1984     u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
1985     u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
1986          cfg->iv_offset +
1987          (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
1988     struct kvec input[2];
1989     int err;
1990
1991     /* Set the key */
1992     if (vec->wk)
1993         crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1994     else
1995         crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
1996
1997     err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen,
1998             cfg, alignmask);
1999     if (err && err != vec->setkey_error) {
2000         pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2001                driver, vec_name, vec->setkey_error, err,
2002                crypto_aead_get_flags(tfm));
2003         return err;
2004     }
2005     if (!err && vec->setkey_error) {
2006         pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2007                driver, vec_name, vec->setkey_error);
2008         return -EINVAL;
2009     }
2010
2011     /* Set the authentication tag size */
2012     err = crypto_aead_setauthsize(tfm, authsize);
2013     if (err && err != vec->setauthsize_error) {
2014         pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n",
2015                driver, vec_name, vec->setauthsize_error, err);
2016         return err;
2017     }
2018     if (!err && vec->setauthsize_error) {
2019         pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n",
2020                driver, vec_name, vec->setauthsize_error);
2021         return -EINVAL;
2022     }
2023
2024     if (vec->setkey_error || vec->setauthsize_error)
2025         return 0;
2026
2027     /* The IV must be copied to a buffer, as the algorithm may modify it */
2028     if (WARN_ON(ivsize > MAX_IVLEN))
2029         return -EINVAL;
2030     if (vec->iv)
2031         memcpy(iv, vec->iv, ivsize);
2032     else
2033         memset(iv, 0, ivsize);
2034
2035     /* Build the src/dst scatterlists */
2036     input[0].iov_base = (void *)vec->assoc;
2037     input[0].iov_len = vec->alen;
2038     input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2039     input[1].iov_len = enc ? vec->plen : vec->clen;
2040     err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2041                     vec->alen + (enc ? vec->plen :
2042                              vec->clen),
2043                     vec->alen + (enc ? vec->clen :
2044                              vec->plen),
2045                     input, 2);
2046     if (err) {
2047         pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2048                driver, op, vec_name, cfg->name);
2049         return err;
2050     }
2051
2052     /* Do the actual encryption or decryption */
2053     testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm));
2054     aead_request_set_callback(req, req_flags, crypto_req_done, &wait);
2055     aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2056                    enc ? vec->plen : vec->clen, iv);
2057     aead_request_set_ad(req, vec->alen);
2058     if (cfg->nosimd)
2059         crypto_disable_simd_for_test();
2060     err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
2061     if (cfg->nosimd)
2062         crypto_reenable_simd_for_test();
2063     err = crypto_wait_req(err, &wait);
2064
2065     /* Check that the algorithm didn't overwrite things it shouldn't have */
2066     if (req->cryptlen != (enc ? vec->plen : vec->clen) ||
2067         req->assoclen != vec->alen ||
2068         req->iv != iv ||
2069         req->src != tsgls->src.sgl_ptr ||
2070         req->dst != tsgls->dst.sgl_ptr ||
2071         crypto_aead_reqtfm(req) != tfm ||
2072         req->base.complete != crypto_req_done ||
2073         req->base.flags != req_flags ||
2074         req->base.data != &wait) {
2075         pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2076                driver, op, vec_name, cfg->name);
2077         if (req->cryptlen != (enc ? vec->plen : vec->clen))
2078             pr_err("alg: aead: changed 'req->cryptlen'\n");
2079         if (req->assoclen != vec->alen)
2080             pr_err("alg: aead: changed 'req->assoclen'\n");
2081         if (req->iv != iv)
2082             pr_err("alg: aead: changed 'req->iv'\n");
2083         if (req->src != tsgls->src.sgl_ptr)
2084             pr_err("alg: aead: changed 'req->src'\n");
2085         if (req->dst != tsgls->dst.sgl_ptr)
2086             pr_err("alg: aead: changed 'req->dst'\n");
2087         if (crypto_aead_reqtfm(req) != tfm)
2088             pr_err("alg: aead: changed 'req->base.tfm'\n");
2089         if (req->base.complete != crypto_req_done)
2090             pr_err("alg: aead: changed 'req->base.complete'\n");
2091         if (req->base.flags != req_flags)
2092             pr_err("alg: aead: changed 'req->base.flags'\n");
2093         if (req->base.data != &wait)
2094             pr_err("alg: aead: changed 'req->base.data'\n");
2095         return -EINVAL;
2096     }
2097     if (is_test_sglist_corrupted(&tsgls->src)) {
2098         pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2099                driver, op, vec_name, cfg->name);
2100         return -EINVAL;
2101     }
2102     if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2103         is_test_sglist_corrupted(&tsgls->dst)) {
2104         pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2105                driver, op, vec_name, cfg->name);
2106         return -EINVAL;
2107     }
2108
2109     /* Check for unexpected success or failure, or wrong error code */
2110     if ((err == 0 && vec->novrfy) ||
2111         (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) {
2112         char expected_error[32];
2113
2114         if (vec->novrfy &&
2115             vec->crypt_error != 0 && vec->crypt_error != -EBADMSG)
2116             sprintf(expected_error, "-EBADMSG or %d",
2117                 vec->crypt_error);
2118         else if (vec->novrfy)
2119             sprintf(expected_error, "-EBADMSG");
2120         else
2121             sprintf(expected_error, "%d", vec->crypt_error);
2122         if (err) {
2123             pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n",
2124                    driver, op, vec_name, expected_error, err,
2125                    cfg->name);
2126             return err;
2127         }
2128         pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n",
2129                driver, op, vec_name, expected_error, cfg->name);
2130         return -EINVAL;
2131     }
2132     if (err) /* Expectedly failed. */
2133         return 0;
2134
2135     /* Check for the correct output (ciphertext or plaintext) */
2136     err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2137                     enc ? vec->clen : vec->plen,
2138                     vec->alen,
2139                     enc || cfg->inplace_mode == OUT_OF_PLACE);
2140     if (err == -EOVERFLOW) {
2141         pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2142                driver, op, vec_name, cfg->name);
2143         return err;
2144     }
2145     if (err) {
2146         pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2147                driver, op, vec_name, cfg->name);
2148         return err;
2149     }
2150
2151     return 0;
2152 }
2153
2154 static int test_aead_vec(int enc, const struct aead_testvec *vec,
2155              unsigned int vec_num, struct aead_request *req,
2156              struct cipher_test_sglists *tsgls)
2157 {
2158     char vec_name[16];
2159     unsigned int i;
2160     int err;
2161
2162     if (enc && vec->novrfy)
2163         return 0;
2164
2165     sprintf(vec_name, "%u", vec_num);
2166
2167     for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2168         err = test_aead_vec_cfg(enc, vec, vec_name,
2169                     &default_cipher_testvec_configs[i],
2170                     req, tsgls);
2171         if (err)
2172             return err;
2173     }
2174
2175 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2176     if (!noextratests) {
2177         struct testvec_config cfg;
2178         char cfgname[TESTVEC_CONFIG_NAMELEN];
2179
2180         for (i = 0; i < fuzz_iterations; i++) {
2181             generate_random_testvec_config(&cfg, cfgname,
2182                                sizeof(cfgname));
2183             err = test_aead_vec_cfg(enc, vec, vec_name,
2184                         &cfg, req, tsgls);
2185             if (err)
2186                 return err;
2187             cond_resched();
2188         }
2189     }
2190 #endif
2191     return 0;
2192 }
2193
2194 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2195
2196 struct aead_extra_tests_ctx {
2197     struct aead_request *req;
2198     struct crypto_aead *tfm;
2199     const struct alg_test_desc *test_desc;
2200     struct cipher_test_sglists *tsgls;
2201     unsigned int maxdatasize;
2202     unsigned int maxkeysize;
2203
2204     struct aead_testvec vec;
2205     char vec_name[64];
2206     char cfgname[TESTVEC_CONFIG_NAMELEN];
2207     struct testvec_config cfg;
2208 };
2209
2210 /*
2211  * Make at least one random change to a (ciphertext, AAD) pair.  "Ciphertext"
2212  * here means the full ciphertext including the authentication tag.  The
2213  * authentication tag (and hence also the ciphertext) is assumed to be nonempty.
2214  */
2215 static void mutate_aead_message(struct aead_testvec *vec, bool aad_iv,
2216                 unsigned int ivsize)
2217 {
2218     const unsigned int aad_tail_size = aad_iv ? ivsize : 0;
2219     const unsigned int authsize = vec->clen - vec->plen;
2220
2221     if (prandom_u32() % 2 == 0 && vec->alen > aad_tail_size) {
2222          /* Mutate the AAD */
2223         flip_random_bit((u8 *)vec->assoc, vec->alen - aad_tail_size);
2224         if (prandom_u32() % 2 == 0)
2225             return;
2226     }
2227     if (prandom_u32() % 2 == 0) {
2228         /* Mutate auth tag (assuming it's at the end of ciphertext) */
2229         flip_random_bit((u8 *)vec->ctext + vec->plen, authsize);
2230     } else {
2231         /* Mutate any part of the ciphertext */
2232         flip_random_bit((u8 *)vec->ctext, vec->clen);
2233     }
2234 }
2235
2236 /*
2237  * Minimum authentication tag size in bytes at which we assume that we can
2238  * reliably generate inauthentic messages, i.e. not generate an authentic
2239  * message by chance.
2240  */
2241 #define MIN_COLLISION_FREE_AUTHSIZE 8
2242
2243 static void generate_aead_message(struct aead_request *req,
2244                   const struct aead_test_suite *suite,
2245                   struct aead_testvec *vec,
2246                   bool prefer_inauthentic)
2247 {
2248     struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2249     const unsigned int ivsize = crypto_aead_ivsize(tfm);
2250     const unsigned int authsize = vec->clen - vec->plen;
2251     const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) &&
2252                  (prefer_inauthentic || prandom_u32() % 4 == 0);
2253
2254     /* Generate the AAD. */
2255     generate_random_bytes((u8 *)vec->assoc, vec->alen);
2256     if (suite->aad_iv && vec->alen >= ivsize)
2257         /* Avoid implementation-defined behavior. */
2258         memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize);
2259
2260     if (inauthentic && prandom_u32() % 2 == 0) {
2261         /* Generate a random ciphertext. */
2262         generate_random_bytes((u8 *)vec->ctext, vec->clen);
2263     } else {
2264         int i = 0;
2265         struct scatterlist src[2], dst;
2266         u8 iv[MAX_IVLEN];
2267         DECLARE_CRYPTO_WAIT(wait);
2268
2269         /* Generate a random plaintext and encrypt it. */
2270         sg_init_table(src, 2);
2271         if (vec->alen)
2272             sg_set_buf(&src[i++], vec->assoc, vec->alen);
2273         if (vec->plen) {
2274             generate_random_bytes((u8 *)vec->ptext, vec->plen);
2275             sg_set_buf(&src[i++], vec->ptext, vec->plen);
2276         }
2277         sg_init_one(&dst, vec->ctext, vec->alen + vec->clen);
2278         memcpy(iv, vec->iv, ivsize);
2279         aead_request_set_callback(req, 0, crypto_req_done, &wait);
2280         aead_request_set_crypt(req, src, &dst, vec->plen, iv);
2281         aead_request_set_ad(req, vec->alen);
2282         vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req),
2283                            &wait);
2284         /* If encryption failed, we're done. */
2285         if (vec->crypt_error != 0)
2286             return;
2287         memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen);
2288         if (!inauthentic)
2289             return;
2290         /*
2291          * Mutate the authentic (ciphertext, AAD) pair to get an
2292          * inauthentic one.
2293          */
2294         mutate_aead_message(vec, suite->aad_iv, ivsize);
2295     }
2296     vec->novrfy = 1;
2297     if (suite->einval_allowed)
2298         vec->crypt_error = -EINVAL;
2299 }
2300
2301 /*
2302  * Generate an AEAD test vector 'vec' using the implementation specified by
2303  * 'req'.  The buffers in 'vec' must already be allocated.
2304  *
2305  * If 'prefer_inauthentic' is true, then this function will generate inauthentic
2306  * test vectors (i.e. vectors with 'vec->novrfy=1') more often.
2307  */
2308 static void generate_random_aead_testvec(struct aead_request *req,
2309                      struct aead_testvec *vec,
2310                      const struct aead_test_suite *suite,
2311                      unsigned int maxkeysize,
2312                      unsigned int maxdatasize,
2313                      char *name, size_t max_namelen,
2314                      bool prefer_inauthentic)
2315 {
2316     struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2317     const unsigned int ivsize = crypto_aead_ivsize(tfm);
2318     const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm);
2319     unsigned int authsize;
2320     unsigned int total_len;
2321
2322     /* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2323     vec->klen = maxkeysize;
2324     if (prandom_u32() % 4 == 0)
2325         vec->klen = prandom_u32() % (maxkeysize + 1);
2326     generate_random_bytes((u8 *)vec->key, vec->klen);
2327     vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen);
2328
2329     /* IV */
2330     generate_random_bytes((u8 *)vec->iv, ivsize);
2331
2332     /* Tag length: in [0, maxauthsize], but usually choose maxauthsize */
2333     authsize = maxauthsize;
2334     if (prandom_u32() % 4 == 0)
2335         authsize = prandom_u32() % (maxauthsize + 1);
2336     if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE)
2337         authsize = MIN_COLLISION_FREE_AUTHSIZE;
2338     if (WARN_ON(authsize > maxdatasize))
2339         authsize = maxdatasize;
2340     maxdatasize -= authsize;
2341     vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize);
2342
2343     /* AAD, plaintext, and ciphertext lengths */
2344     total_len = generate_random_length(maxdatasize);
2345     if (prandom_u32() % 4 == 0)
2346         vec->alen = 0;
2347     else
2348         vec->alen = generate_random_length(total_len);
2349     vec->plen = total_len - vec->alen;
2350     vec->clen = vec->plen + authsize;
2351
2352     /*
2353      * Generate the AAD, plaintext, and ciphertext.  Not applicable if the
2354      * key or the authentication tag size couldn't be set.
2355      */
2356     vec->novrfy = 0;
2357     vec->crypt_error = 0;
2358     if (vec->setkey_error == 0 && vec->setauthsize_error == 0)
2359         generate_aead_message(req, suite, vec, prefer_inauthentic);
2360     snprintf(name, max_namelen,
2361          "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"",
2362          vec->alen, vec->plen, authsize, vec->klen, vec->novrfy);
2363 }
2364
2365 static void try_to_generate_inauthentic_testvec(
2366                     struct aead_extra_tests_ctx *ctx)
2367 {
2368     int i;
2369
2370     for (i = 0; i < 10; i++) {
2371         generate_random_aead_testvec(ctx->req, &ctx->vec,
2372                          &ctx->test_desc->suite.aead,
2373                          ctx->maxkeysize, ctx->maxdatasize,
2374                          ctx->vec_name,
2375                          sizeof(ctx->vec_name), true);
2376         if (ctx->vec.novrfy)
2377             return;
2378     }
2379 }
2380
2381 /*
2382  * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the
2383  * result of an encryption with the key) and verify that decryption fails.
2384  */
2385 static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx)
2386 {
2387     unsigned int i;
2388     int err;
2389
2390     for (i = 0; i < fuzz_iterations * 8; i++) {
2391         /*
2392          * Since this part of the tests isn't comparing the
2393          * implementation to another, there's no point in testing any
2394          * test vectors other than inauthentic ones (vec.novrfy=1) here.
2395          *
2396          * If we're having trouble generating such a test vector, e.g.
2397          * if the algorithm keeps rejecting the generated keys, don't
2398          * retry forever; just continue on.
2399          */
2400         try_to_generate_inauthentic_testvec(ctx);
2401         if (ctx->vec.novrfy) {
2402             generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2403                                sizeof(ctx->cfgname));
2404             err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2405                         ctx->vec_name, &ctx->cfg,
2406                         ctx->req, ctx->tsgls);
2407             if (err)
2408                 return err;
2409         }
2410         cond_resched();
2411     }
2412     return 0;
2413 }
2414
2415 /*
2416  * Test the AEAD algorithm against the corresponding generic implementation, if
2417  * one is available.
2418  */
2419 static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx)
2420 {
2421     struct crypto_aead *tfm = ctx->tfm;
2422     const char *algname = crypto_aead_alg(tfm)->base.cra_name;
2423     const char *driver = crypto_aead_driver_name(tfm);
2424     const char *generic_driver = ctx->test_desc->generic_driver;
2425     char _generic_driver[CRYPTO_MAX_ALG_NAME];
2426     struct crypto_aead *generic_tfm = NULL;
2427     struct aead_request *generic_req = NULL;
2428     unsigned int i;
2429     int err;
2430
2431     if (!generic_driver) { /* Use default naming convention? */
2432         err = build_generic_driver_name(algname, _generic_driver);
2433         if (err)
2434             return err;
2435         generic_driver = _generic_driver;
2436     }
2437
2438     if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
2439         return 0;
2440
2441     generic_tfm = crypto_alloc_aead(generic_driver, 0, 0);
2442     if (IS_ERR(generic_tfm)) {
2443         err = PTR_ERR(generic_tfm);
2444         if (err == -ENOENT) {
2445             pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n",
2446                 driver, generic_driver);
2447             return 0;
2448         }
2449         pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n",
2450                generic_driver, algname, err);
2451         return err;
2452     }
2453
2454     generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL);
2455     if (!generic_req) {
2456         err = -ENOMEM;
2457         goto out;
2458     }
2459
2460     /* Check the algorithm properties for consistency. */
2461
2462     if (crypto_aead_maxauthsize(tfm) !=
2463         crypto_aead_maxauthsize(generic_tfm)) {
2464         pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n",
2465                driver, crypto_aead_maxauthsize(tfm),
2466                crypto_aead_maxauthsize(generic_tfm));
2467         err = -EINVAL;
2468         goto out;
2469     }
2470
2471     if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) {
2472         pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n",
2473                driver, crypto_aead_ivsize(tfm),
2474                crypto_aead_ivsize(generic_tfm));
2475         err = -EINVAL;
2476         goto out;
2477     }
2478
2479     if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) {
2480         pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n",
2481                driver, crypto_aead_blocksize(tfm),
2482                crypto_aead_blocksize(generic_tfm));
2483         err = -EINVAL;
2484         goto out;
2485     }
2486
2487     /*
2488      * Now generate test vectors using the generic implementation, and test
2489      * the other implementation against them.
2490      */
2491     for (i = 0; i < fuzz_iterations * 8; i++) {
2492         generate_random_aead_testvec(generic_req, &ctx->vec,
2493                          &ctx->test_desc->suite.aead,
2494                          ctx->maxkeysize, ctx->maxdatasize,
2495                          ctx->vec_name,
2496                          sizeof(ctx->vec_name), false);
2497         generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2498                            sizeof(ctx->cfgname));
2499         if (!ctx->vec.novrfy) {
2500             err = test_aead_vec_cfg(ENCRYPT, &ctx->vec,
2501                         ctx->vec_name, &ctx->cfg,
2502                         ctx->req, ctx->tsgls);
2503             if (err)
2504                 goto out;
2505         }
2506         if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) {
2507             err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2508                         ctx->vec_name, &ctx->cfg,
2509                         ctx->req, ctx->tsgls);
2510             if (err)
2511                 goto out;
2512         }
2513         cond_resched();
2514     }
2515     err = 0;
2516 out:
2517     crypto_free_aead(generic_tfm);
2518     aead_request_free(generic_req);
2519     return err;
2520 }
2521
2522 static int test_aead_extra(const struct alg_test_desc *test_desc,
2523                struct aead_request *req,
2524                struct cipher_test_sglists *tsgls)
2525 {
2526     struct aead_extra_tests_ctx *ctx;
2527     unsigned int i;
2528     int err;
2529
2530     if (noextratests)
2531         return 0;
2532
2533     ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2534     if (!ctx)
2535         return -ENOMEM;
2536     ctx->req = req;
2537     ctx->tfm = crypto_aead_reqtfm(req);
2538     ctx->test_desc = test_desc;
2539     ctx->tsgls = tsgls;
2540     ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
2541     ctx->maxkeysize = 0;
2542     for (i = 0; i < test_desc->suite.aead.count; i++)
2543         ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize,
2544                     test_desc->suite.aead.vecs[i].klen);
2545
2546     ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL);
2547     ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL);
2548     ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2549     ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2550     ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2551     if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc ||
2552         !ctx->vec.ptext || !ctx->vec.ctext) {
2553         err = -ENOMEM;
2554         goto out;
2555     }
2556
2557     err = test_aead_vs_generic_impl(ctx);
2558     if (err)
2559         goto out;
2560
2561     err = test_aead_inauthentic_inputs(ctx);
2562 out:
2563     kfree(ctx->vec.key);
2564     kfree(ctx->vec.iv);
2565     kfree(ctx->vec.assoc);
2566     kfree(ctx->vec.ptext);
2567     kfree(ctx->vec.ctext);
2568     kfree(ctx);
2569     return err;
2570 }
2571 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2572 static int test_aead_extra(const struct alg_test_desc *test_desc,
2573                struct aead_request *req,
2574                struct cipher_test_sglists *tsgls)
2575 {
2576     return 0;
2577 }
2578 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2579
2580 static int test_aead(int enc, const struct aead_test_suite *suite,
2581              struct aead_request *req,
2582              struct cipher_test_sglists *tsgls)
2583 {
2584     unsigned int i;
2585     int err;
2586
2587     for (i = 0; i < suite->count; i++) {
2588         err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls);
2589         if (err)
2590             return err;
2591         cond_resched();
2592     }
2593     return 0;
2594 }
2595
2596 static int alg_test_aead(const struct alg_test_desc *desc, const char *driver,
2597              u32 type, u32 mask)
2598 {
2599     const struct aead_test_suite *suite = &desc->suite.aead;
2600     struct crypto_aead *tfm;
2601     struct aead_request *req = NULL;
2602     struct cipher_test_sglists *tsgls = NULL;
2603     int err;
2604
2605     if (suite->count <= 0) {
2606         pr_err("alg: aead: empty test suite for %s\n", driver);
2607         return -EINVAL;
2608     }
2609
2610     tfm = crypto_alloc_aead(driver, type, mask);
2611     if (IS_ERR(tfm)) {
2612         pr_err("alg: aead: failed to allocate transform for %s: %ld\n",
2613                driver, PTR_ERR(tfm));
2614         return PTR_ERR(tfm);
2615     }
2616     driver = crypto_aead_driver_name(tfm);
2617
2618     req = aead_request_alloc(tfm, GFP_KERNEL);
2619     if (!req) {
2620         pr_err("alg: aead: failed to allocate request for %s\n",
2621                driver);
2622         err = -ENOMEM;
2623         goto out;
2624     }
2625
2626     tsgls = alloc_cipher_test_sglists();
2627     if (!tsgls) {
2628         pr_err("alg: aead: failed to allocate test buffers for %s\n",
2629                driver);
2630         err = -ENOMEM;
2631         goto out;
2632     }
2633
2634     err = test_aead(ENCRYPT, suite, req, tsgls);
2635     if (err)
2636         goto out;
2637
2638     err = test_aead(DECRYPT, suite, req, tsgls);
2639     if (err)
2640         goto out;
2641
2642     err = test_aead_extra(desc, req, tsgls);
2643 out:
2644     free_cipher_test_sglists(tsgls);
2645     aead_request_free(req);
2646     crypto_free_aead(tfm);
2647     return err;
2648 }
2649
2650 static int test_cipher(struct crypto_cipher *tfm, int enc,
2651                const struct cipher_testvec *template,
2652                unsigned int tcount)
2653 {
2654     const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
2655     unsigned int i, j, k;
2656     char *q;
2657     const char *e;
2658     const char *input, *result;
2659     void *data;
2660     char *xbuf[XBUFSIZE];
2661     int ret = -ENOMEM;
2662
2663     if (testmgr_alloc_buf(xbuf))
2664         goto out_nobuf;
2665
2666     if (enc == ENCRYPT)
2667             e = "encryption";
2668     else
2669         e = "decryption";
2670
2671     j = 0;
2672     for (i = 0; i < tcount; i++) {
2673
2674         if (fips_enabled && template[i].fips_skip)
2675             continue;
2676
2677         input  = enc ? template[i].ptext : template[i].ctext;
2678         result = enc ? template[i].ctext : template[i].ptext;
2679         j++;
2680
2681         ret = -EINVAL;
2682         if (WARN_ON(template[i].len > PAGE_SIZE))
2683             goto out;
2684
2685         data = xbuf[0];
2686         memcpy(data, input, template[i].len);
2687
2688         crypto_cipher_clear_flags(tfm, ~0);
2689         if (template[i].wk)
2690             crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2691
2692         ret = crypto_cipher_setkey(tfm, template[i].key,
2693                        template[i].klen);
2694         if (ret) {
2695             if (ret == template[i].setkey_error)
2696                 continue;
2697             pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n",
2698                    algo, j, template[i].setkey_error, ret,
2699                    crypto_cipher_get_flags(tfm));
2700             goto out;
2701         }
2702         if (template[i].setkey_error) {
2703             pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n",
2704                    algo, j, template[i].setkey_error);
2705             ret = -EINVAL;
2706             goto out;
2707         }
2708
2709         for (k = 0; k < template[i].len;
2710              k += crypto_cipher_blocksize(tfm)) {
2711             if (enc)
2712                 crypto_cipher_encrypt_one(tfm, data + k,
2713                               data + k);
2714             else
2715                 crypto_cipher_decrypt_one(tfm, data + k,
2716                               data + k);
2717         }
2718
2719         q = data;
2720         if (memcmp(q, result, template[i].len)) {
2721             printk(KERN_ERR "alg: cipher: Test %d failed "
2722                    "on %s for %s\n", j, e, algo);
2723             hexdump(q, template[i].len);
2724             ret = -EINVAL;
2725             goto out;
2726         }
2727     }
2728
2729     ret = 0;
2730
2731 out:
2732     testmgr_free_buf(xbuf);
2733 out_nobuf:
2734     return ret;
2735 }
2736
2737 static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec,
2738                  const char *vec_name,
2739                  const struct testvec_config *cfg,
2740                  struct skcipher_request *req,
2741                  struct cipher_test_sglists *tsgls)
2742 {
2743     struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2744     const unsigned int alignmask = crypto_skcipher_alignmask(tfm);
2745     const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2746     const char *driver = crypto_skcipher_driver_name(tfm);
2747     const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
2748     const char *op = enc ? "encryption" : "decryption";
2749     DECLARE_CRYPTO_WAIT(wait);
2750     u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
2751     u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
2752          cfg->iv_offset +
2753          (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
2754     struct kvec input;
2755     int err;
2756
2757     /* Set the key */
2758     if (vec->wk)
2759         crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2760     else
2761         crypto_skcipher_clear_flags(tfm,
2762                         CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2763     err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen,
2764             cfg, alignmask);
2765     if (err) {
2766         if (err == vec->setkey_error)
2767             return 0;
2768         pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2769                driver, vec_name, vec->setkey_error, err,
2770                crypto_skcipher_get_flags(tfm));
2771         return err;
2772     }
2773     if (vec->setkey_error) {
2774         pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2775                driver, vec_name, vec->setkey_error);
2776         return -EINVAL;
2777     }
2778
2779     /* The IV must be copied to a buffer, as the algorithm may modify it */
2780     if (ivsize) {
2781         if (WARN_ON(ivsize > MAX_IVLEN))
2782             return -EINVAL;
2783         if (vec->generates_iv && !enc)
2784             memcpy(iv, vec->iv_out, ivsize);
2785         else if (vec->iv)
2786             memcpy(iv, vec->iv, ivsize);
2787         else
2788             memset(iv, 0, ivsize);
2789     } else {
2790         if (vec->generates_iv) {
2791             pr_err("alg: skcipher: %s has ivsize=0 but test vector %s generates IV!\n",
2792                    driver, vec_name);
2793             return -EINVAL;
2794         }
2795         iv = NULL;
2796     }
2797
2798     /* Build the src/dst scatterlists */
2799     input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2800     input.iov_len = vec->len;
2801     err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2802                     vec->len, vec->len, &input, 1);
2803     if (err) {
2804         pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2805                driver, op, vec_name, cfg->name);
2806         return err;
2807     }
2808
2809     /* Do the actual encryption or decryption */
2810     testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm));
2811     skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait);
2812     skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2813                    vec->len, iv);
2814     if (cfg->nosimd)
2815         crypto_disable_simd_for_test();
2816     err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
2817     if (cfg->nosimd)
2818         crypto_reenable_simd_for_test();
2819     err = crypto_wait_req(err, &wait);
2820
2821     /* Check that the algorithm didn't overwrite things it shouldn't have */
2822     if (req->cryptlen != vec->len ||
2823         req->iv != iv ||
2824         req->src != tsgls->src.sgl_ptr ||
2825         req->dst != tsgls->dst.sgl_ptr ||
2826         crypto_skcipher_reqtfm(req) != tfm ||
2827         req->base.complete != crypto_req_done ||
2828         req->base.flags != req_flags ||
2829         req->base.data != &wait) {
2830         pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2831                driver, op, vec_name, cfg->name);
2832         if (req->cryptlen != vec->len)
2833             pr_err("alg: skcipher: changed 'req->cryptlen'\n");
2834         if (req->iv != iv)
2835             pr_err("alg: skcipher: changed 'req->iv'\n");
2836         if (req->src != tsgls->src.sgl_ptr)
2837             pr_err("alg: skcipher: changed 'req->src'\n");
2838         if (req->dst != tsgls->dst.sgl_ptr)
2839             pr_err("alg: skcipher: changed 'req->dst'\n");
2840         if (crypto_skcipher_reqtfm(req) != tfm)
2841             pr_err("alg: skcipher: changed 'req->base.tfm'\n");
2842         if (req->base.complete != crypto_req_done)
2843             pr_err("alg: skcipher: changed 'req->base.complete'\n");
2844         if (req->base.flags != req_flags)
2845             pr_err("alg: skcipher: changed 'req->base.flags'\n");
2846         if (req->base.data != &wait)
2847             pr_err("alg: skcipher: changed 'req->base.data'\n");
2848         return -EINVAL;
2849     }
2850     if (is_test_sglist_corrupted(&tsgls->src)) {
2851         pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2852                driver, op, vec_name, cfg->name);
2853         return -EINVAL;
2854     }
2855     if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2856         is_test_sglist_corrupted(&tsgls->dst)) {
2857         pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2858                driver, op, vec_name, cfg->name);
2859         return -EINVAL;
2860     }
2861
2862     /* Check for success or failure */
2863     if (err) {
2864         if (err == vec->crypt_error)
2865             return 0;
2866         pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
2867                driver, op, vec_name, vec->crypt_error, err, cfg->name);
2868         return err;
2869     }
2870     if (vec->crypt_error) {
2871         pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
2872                driver, op, vec_name, vec->crypt_error, cfg->name);
2873         return -EINVAL;
2874     }
2875
2876     /* Check for the correct output (ciphertext or plaintext) */
2877     err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2878                     vec->len, 0, true);
2879     if (err == -EOVERFLOW) {
2880         pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2881                driver, op, vec_name, cfg->name);
2882         return err;
2883     }
2884     if (err) {
2885         pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2886                driver, op, vec_name, cfg->name);
2887         return err;
2888     }
2889
2890     /* If applicable, check that the algorithm generated the correct IV */
2891     if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) {
2892         pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n",
2893                driver, op, vec_name, cfg->name);
2894         hexdump(iv, ivsize);
2895         return -EINVAL;
2896     }
2897
2898     return 0;
2899 }
2900
2901 static int test_skcipher_vec(int enc, const struct cipher_testvec *vec,
2902                  unsigned int vec_num,
2903                  struct skcipher_request *req,
2904                  struct cipher_test_sglists *tsgls)
2905 {
2906     char vec_name[16];
2907     unsigned int i;
2908     int err;
2909
2910     if (fips_enabled && vec->fips_skip)
2911         return 0;
2912
2913     sprintf(vec_name, "%u", vec_num);
2914
2915     for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2916         err = test_skcipher_vec_cfg(enc, vec, vec_name,
2917                         &default_cipher_testvec_configs[i],
2918                         req, tsgls);
2919         if (err)
2920             return err;
2921     }
2922
2923 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2924     if (!noextratests) {
2925         struct testvec_config cfg;
2926         char cfgname[TESTVEC_CONFIG_NAMELEN];
2927
2928         for (i = 0; i < fuzz_iterations; i++) {
2929             generate_random_testvec_config(&cfg, cfgname,
2930                                sizeof(cfgname));
2931             err = test_skcipher_vec_cfg(enc, vec, vec_name,
2932                             &cfg, req, tsgls);
2933             if (err)
2934                 return err;
2935             cond_resched();
2936         }
2937     }
2938 #endif
2939     return 0;
2940 }
2941
2942 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2943 /*
2944  * Generate a symmetric cipher test vector from the given implementation.
2945  * Assumes the buffers in 'vec' were already allocated.
2946  */
2947 static void generate_random_cipher_testvec(struct skcipher_request *req,
2948                        struct cipher_testvec *vec,
2949                        unsigned int maxdatasize,
2950                        char *name, size_t max_namelen)
2951 {
2952     struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2953     const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
2954     const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2955     struct scatterlist src, dst;
2956     u8 iv[MAX_IVLEN];
2957     DECLARE_CRYPTO_WAIT(wait);
2958
2959     /* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2960     vec->klen = maxkeysize;
2961     if (prandom_u32() % 4 == 0)
2962         vec->klen = prandom_u32() % (maxkeysize + 1);
2963     generate_random_bytes((u8 *)vec->key, vec->klen);
2964     vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen);
2965
2966     /* IV */
2967     generate_random_bytes((u8 *)vec->iv, ivsize);
2968
2969     /* Plaintext */
2970     vec->len = generate_random_length(maxdatasize);
2971     generate_random_bytes((u8 *)vec->ptext, vec->len);
2972
2973     /* If the key couldn't be set, no need to continue to encrypt. */
2974     if (vec->setkey_error)
2975         goto done;
2976
2977     /* Ciphertext */
2978     sg_init_one(&src, vec->ptext, vec->len);
2979     sg_init_one(&dst, vec->ctext, vec->len);
2980     memcpy(iv, vec->iv, ivsize);
2981     skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
2982     skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
2983     vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
2984     if (vec->crypt_error != 0) {
2985         /*
2986          * The only acceptable error here is for an invalid length, so
2987          * skcipher decryption should fail with the same error too.
2988          * We'll test for this.  But to keep the API usage well-defined,
2989          * explicitly initialize the ciphertext buffer too.
2990          */
2991         memset((u8 *)vec->ctext, 0, vec->len);
2992     }
2993 done:
2994     snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
2995          vec->len, vec->klen);
2996 }
2997
2998 /*
2999  * Test the skcipher algorithm represented by @req against the corresponding
3000  * generic implementation, if one is available.
3001  */
3002 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3003                      struct skcipher_request *req,
3004                      struct cipher_test_sglists *tsgls)
3005 {
3006     struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3007     const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3008     const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
3009     const unsigned int blocksize = crypto_skcipher_blocksize(tfm);
3010     const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
3011     const char *algname = crypto_skcipher_alg(tfm)->base.cra_name;
3012     const char *driver = crypto_skcipher_driver_name(tfm);
3013     char _generic_driver[CRYPTO_MAX_ALG_NAME];
3014     struct crypto_skcipher *generic_tfm = NULL;
3015     struct skcipher_request *generic_req = NULL;
3016     unsigned int i;
3017     struct cipher_testvec vec = { 0 };
3018     char vec_name[64];
3019     struct testvec_config *cfg;
3020     char cfgname[TESTVEC_CONFIG_NAMELEN];
3021     int err;
3022
3023     if (noextratests)
3024         return 0;
3025
3026     /* Keywrap isn't supported here yet as it handles its IV differently. */
3027     if (strncmp(algname, "kw(", 3) == 0)
3028         return 0;
3029
3030     if (!generic_driver) { /* Use default naming convention? */
3031         err = build_generic_driver_name(algname, _generic_driver);
3032         if (err)
3033             return err;
3034         generic_driver = _generic_driver;
3035     }
3036
3037     if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
3038         return 0;
3039
3040     generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0);
3041     if (IS_ERR(generic_tfm)) {
3042         err = PTR_ERR(generic_tfm);
3043         if (err == -ENOENT) {
3044             pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n",
3045                 driver, generic_driver);
3046             return 0;
3047         }
3048         pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n",
3049                generic_driver, algname, err);
3050         return err;
3051     }
3052
3053     cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
3054     if (!cfg) {
3055         err = -ENOMEM;
3056         goto out;
3057     }
3058
3059     generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL);
3060     if (!generic_req) {
3061         err = -ENOMEM;
3062         goto out;
3063     }
3064
3065     /* Check the algorithm properties for consistency. */
3066
3067     if (crypto_skcipher_min_keysize(tfm) !=
3068         crypto_skcipher_min_keysize(generic_tfm)) {
3069         pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n",
3070                driver, crypto_skcipher_min_keysize(tfm),
3071                crypto_skcipher_min_keysize(generic_tfm));
3072         err = -EINVAL;
3073         goto out;
3074     }
3075
3076     if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) {
3077         pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n",
3078                driver, maxkeysize,
3079                crypto_skcipher_max_keysize(generic_tfm));
3080         err = -EINVAL;
3081         goto out;
3082     }
3083
3084     if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
3085         pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
3086                driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
3087         err = -EINVAL;
3088         goto out;
3089     }
3090
3091     if (blocksize != crypto_skcipher_blocksize(generic_tfm)) {
3092         pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n",
3093                driver, blocksize,
3094                crypto_skcipher_blocksize(generic_tfm));
3095         err = -EINVAL;
3096         goto out;
3097     }
3098
3099     /*
3100      * Now generate test vectors using the generic implementation, and test
3101      * the other implementation against them.
3102      */
3103
3104     vec.key = kmalloc(maxkeysize, GFP_KERNEL);
3105     vec.iv = kmalloc(ivsize, GFP_KERNEL);
3106     vec.ptext = kmalloc(maxdatasize, GFP_KERNEL);
3107     vec.ctext = kmalloc(maxdatasize, GFP_KERNEL);
3108     if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) {
3109         err = -ENOMEM;
3110         goto out;
3111     }
3112
3113     for (i = 0; i < fuzz_iterations * 8; i++) {
3114         generate_random_cipher_testvec(generic_req, &vec, maxdatasize,
3115                            vec_name, sizeof(vec_name));
3116         generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
3117
3118         err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name,
3119                         cfg, req, tsgls);
3120         if (err)
3121             goto out;
3122         err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name,
3123                         cfg, req, tsgls);
3124         if (err)
3125             goto out;
3126         cond_resched();
3127     }
3128     err = 0;
3129 out:
3130     kfree(cfg);
3131     kfree(vec.key);
3132     kfree(vec.iv);
3133     kfree(vec.ptext);
3134     kfree(vec.ctext);
3135     crypto_free_skcipher(generic_tfm);
3136     skcipher_request_free(generic_req);
3137     return err;
3138 }
3139 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3140 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3141                      struct skcipher_request *req,
3142                      struct cipher_test_sglists *tsgls)
3143 {
3144     return 0;
3145 }
3146 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3147
3148 static int test_skcipher(int enc, const struct cipher_test_suite *suite,
3149              struct skcipher_request *req,
3150              struct cipher_test_sglists *tsgls)
3151 {
3152     unsigned int i;
3153     int err;
3154
3155     for (i = 0; i < suite->count; i++) {
3156         err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls);
3157         if (err)
3158             return err;
3159         cond_resched();
3160     }
3161     return 0;
3162 }
3163
3164 static int alg_test_skcipher(const struct alg_test_desc *desc,
3165                  const char *driver, u32 type, u32 mask)
3166 {
3167     const struct cipher_test_suite *suite = &desc->suite.cipher;
3168     struct crypto_skcipher *tfm;
3169     struct skcipher_request *req = NULL;
3170     struct cipher_test_sglists *tsgls = NULL;
3171     int err;
3172
3173     if (suite->count <= 0) {
3174         pr_err("alg: skcipher: empty test suite for %s\n", driver);
3175         return -EINVAL;
3176     }
3177
3178     tfm = crypto_alloc_skcipher(driver, type, mask);
3179     if (IS_ERR(tfm)) {
3180         pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n",
3181                driver, PTR_ERR(tfm));
3182         return PTR_ERR(tfm);
3183     }
3184     driver = crypto_skcipher_driver_name(tfm);
3185
3186     req = skcipher_request_alloc(tfm, GFP_KERNEL);
3187     if (!req) {
3188         pr_err("alg: skcipher: failed to allocate request for %s\n",
3189                driver);
3190         err = -ENOMEM;
3191         goto out;
3192     }
3193
3194     tsgls = alloc_cipher_test_sglists();
3195     if (!tsgls) {
3196         pr_err("alg: skcipher: failed to allocate test buffers for %s\n",
3197                driver);
3198         err = -ENOMEM;
3199         goto out;
3200     }
3201
3202     err = test_skcipher(ENCRYPT, suite, req, tsgls);
3203     if (err)
3204         goto out;
3205
3206     err = test_skcipher(DECRYPT, suite, req, tsgls);
3207     if (err)
3208         goto out;
3209
3210     err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls);
3211 out:
3212     free_cipher_test_sglists(tsgls);
3213     skcipher_request_free(req);
3214     crypto_free_skcipher(tfm);
3215     return err;
3216 }
3217
3218 static int test_comp(struct crypto_comp *tfm,
3219              const struct comp_testvec *ctemplate,
3220              const struct comp_testvec *dtemplate,
3221              int ctcount, int dtcount)
3222 {
3223     const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
3224     char *output, *decomp_output;
3225     unsigned int i;
3226     int ret;
3227
3228     output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3229     if (!output)
3230         return -ENOMEM;
3231
3232     decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3233     if (!decomp_output) {
3234         kfree(output);
3235         return -ENOMEM;
3236     }
3237
3238     for (i = 0; i < ctcount; i++) {
3239         int ilen;
3240         unsigned int dlen = COMP_BUF_SIZE;
3241
3242         memset(output, 0, COMP_BUF_SIZE);
3243         memset(decomp_output, 0, COMP_BUF_SIZE);
3244
3245         ilen = ctemplate[i].inlen;
3246         ret = crypto_comp_compress(tfm, ctemplate[i].input,
3247                        ilen, output, &dlen);
3248         if (ret) {
3249             printk(KERN_ERR "alg: comp: compression failed "
3250                    "on test %d for %s: ret=%d\n", i + 1, algo,
3251                    -ret);
3252             goto out;
3253         }
3254
3255         ilen = dlen;
3256         dlen = COMP_BUF_SIZE;
3257         ret = crypto_comp_decompress(tfm, output,
3258                          ilen, decomp_output, &dlen);
3259         if (ret) {
3260             pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n",
3261                    i + 1, algo, -ret);
3262             goto out;
3263         }
3264
3265         if (dlen != ctemplate[i].inlen) {
3266             printk(KERN_ERR "alg: comp: Compression test %d "
3267                    "failed for %s: output len = %d\n", i + 1, algo,
3268                    dlen);
3269             ret = -EINVAL;
3270             goto out;
3271         }
3272
3273         if (memcmp(decomp_output, ctemplate[i].input,
3274                ctemplate[i].inlen)) {
3275             pr_err("alg: comp: compression failed: output differs: on test %d for %s\n",
3276                    i + 1, algo);
3277             hexdump(decomp_output, dlen);
3278             ret = -EINVAL;
3279             goto out;
3280         }
3281     }
3282
3283     for (i = 0; i < dtcount; i++) {
3284         int ilen;
3285         unsigned int dlen = COMP_BUF_SIZE;
3286
3287         memset(decomp_output, 0, COMP_BUF_SIZE);
3288
3289         ilen = dtemplate[i].inlen;
3290         ret = crypto_comp_decompress(tfm, dtemplate[i].input,
3291                          ilen, decomp_output, &dlen);
3292         if (ret) {
3293             printk(KERN_ERR "alg: comp: decompression failed "
3294                    "on test %d for %s: ret=%d\n", i + 1, algo,
3295                    -ret);
3296             goto out;
3297         }
3298
3299         if (dlen != dtemplate[i].outlen) {
3300             printk(KERN_ERR "alg: comp: Decompression test %d "
3301                    "failed for %s: output len = %d\n", i + 1, algo,
3302                    dlen);
3303             ret = -EINVAL;
3304             goto out;
3305         }
3306
3307         if (memcmp(decomp_output, dtemplate[i].output, dlen)) {
3308             printk(KERN_ERR "alg: comp: Decompression test %d "
3309                    "failed for %s\n", i + 1, algo);
3310             hexdump(decomp_output, dlen);
3311             ret = -EINVAL;
3312             goto out;
3313         }
3314     }
3315
3316     ret = 0;
3317
3318 out:
3319     kfree(decomp_output);
3320     kfree(output);
3321     return ret;
3322 }
3323
3324 static int test_acomp(struct crypto_acomp *tfm,
3325                   const struct comp_testvec *ctemplate,
3326               const struct comp_testvec *dtemplate,
3327               int ctcount, int dtcount)
3328 {
3329     const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm));
3330     unsigned int i;
3331     char *output, *decomp_out;
3332     int ret;
3333     struct scatterlist src, dst;
3334     struct acomp_req *req;
3335     struct crypto_wait wait;
3336
3337     output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3338     if (!output)
3339         return -ENOMEM;
3340
3341     decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3342     if (!decomp_out) {
3343         kfree(output);
3344         return -ENOMEM;
3345     }
3346
3347     for (i = 0; i < ctcount; i++) {
3348         unsigned int dlen = COMP_BUF_SIZE;
3349         int ilen = ctemplate[i].inlen;
3350         void *input_vec;
3351
3352         input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL);
3353         if (!input_vec) {
3354             ret = -ENOMEM;
3355             goto out;
3356         }
3357
3358         memset(output, 0, dlen);
3359         crypto_init_wait(&wait);
3360         sg_init_one(&src, input_vec, ilen);
3361         sg_init_one(&dst, output, dlen);
3362
3363         req = acomp_request_alloc(tfm);
3364         if (!req) {
3365             pr_err("alg: acomp: request alloc failed for %s\n",
3366                    algo);
3367             kfree(input_vec);
3368             ret = -ENOMEM;
3369             goto out;
3370         }
3371
3372         acomp_request_set_params(req, &src, &dst, ilen, dlen);
3373         acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3374                        crypto_req_done, &wait);
3375
3376         ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3377         if (ret) {
3378             pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3379                    i + 1, algo, -ret);
3380             kfree(input_vec);
3381             acomp_request_free(req);
3382             goto out;
3383         }
3384
3385         ilen = req->dlen;
3386         dlen = COMP_BUF_SIZE;
3387         sg_init_one(&src, output, ilen);
3388         sg_init_one(&dst, decomp_out, dlen);
3389         crypto_init_wait(&wait);
3390         acomp_request_set_params(req, &src, &dst, ilen, dlen);
3391
3392         ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3393         if (ret) {
3394             pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3395                    i + 1, algo, -ret);
3396             kfree(input_vec);
3397             acomp_request_free(req);
3398             goto out;
3399         }
3400
3401         if (req->dlen != ctemplate[i].inlen) {
3402             pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n",
3403                    i + 1, algo, req->dlen);
3404             ret = -EINVAL;
3405             kfree(input_vec);
3406             acomp_request_free(req);
3407             goto out;
3408         }
3409
3410         if (memcmp(input_vec, decomp_out, req->dlen)) {
3411             pr_err("alg: acomp: Compression test %d failed for %s\n",
3412                    i + 1, algo);
3413             hexdump(output, req->dlen);
3414             ret = -EINVAL;
3415             kfree(input_vec);
3416             acomp_request_free(req);
3417             goto out;
3418         }
3419
3420         kfree(input_vec);
3421         acomp_request_free(req);
3422     }
3423
3424     for (i = 0; i < dtcount; i++) {
3425         unsigned int dlen = COMP_BUF_SIZE;
3426         int ilen = dtemplate[i].inlen;
3427         void *input_vec;
3428
3429         input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL);
3430         if (!input_vec) {
3431             ret = -ENOMEM;
3432             goto out;
3433         }
3434
3435         memset(output, 0, dlen);
3436         crypto_init_wait(&wait);
3437         sg_init_one(&src, input_vec, ilen);
3438         sg_init_one(&dst, output, dlen);
3439
3440         req = acomp_request_alloc(tfm);
3441         if (!req) {
3442             pr_err("alg: acomp: request alloc failed for %s\n",
3443                    algo);
3444             kfree(input_vec);
3445             ret = -ENOMEM;
3446             goto out;
3447         }
3448
3449         acomp_request_set_params(req, &src, &dst, ilen, dlen);
3450         acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3451                        crypto_req_done, &wait);
3452
3453         ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3454         if (ret) {
3455             pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n",
3456                    i + 1, algo, -ret);
3457             kfree(input_vec);
3458             acomp_request_free(req);
3459             goto out;
3460         }
3461
3462         if (req->dlen != dtemplate[i].outlen) {
3463             pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n",
3464                    i + 1, algo, req->dlen);
3465             ret = -EINVAL;
3466             kfree(input_vec);
3467             acomp_request_free(req);
3468             goto out;
3469         }
3470
3471         if (memcmp(output, dtemplate[i].output, req->dlen)) {
3472             pr_err("alg: acomp: Decompression test %d failed for %s\n",
3473                    i + 1, algo);
3474             hexdump(output, req->dlen);
3475             ret = -EINVAL;
3476             kfree(input_vec);
3477             acomp_request_free(req);
3478             goto out;
3479         }
3480
3481         kfree(input_vec);
3482         acomp_request_free(req);
3483     }
3484
3485     ret = 0;
3486
3487 out:
3488     kfree(decomp_out);
3489     kfree(output);
3490     return ret;
3491 }
3492
3493 static int test_cprng(struct crypto_rng *tfm,
3494               const struct cprng_testvec *template,
3495               unsigned int tcount)
3496 {
3497     const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
3498     int err = 0, i, j, seedsize;
3499     u8 *seed;
3500     char result[32];
3501
3502     seedsize = crypto_rng_seedsize(tfm);
3503
3504     seed = kmalloc(seedsize, GFP_KERNEL);
3505     if (!seed) {
3506         printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
3507                "for %s\n", algo);
3508         return -ENOMEM;
3509     }
3510
3511     for (i = 0; i < tcount; i++) {
3512         memset(result, 0, 32);
3513
3514         memcpy(seed, template[i].v, template[i].vlen);
3515         memcpy(seed + template[i].vlen, template[i].key,
3516                template[i].klen);
3517         memcpy(seed + template[i].vlen + template[i].klen,
3518                template[i].dt, template[i].dtlen);
3519
3520         err = crypto_rng_reset(tfm, seed, seedsize);
3521         if (err) {
3522             printk(KERN_ERR "alg: cprng: Failed to reset rng "
3523                    "for %s\n", algo);
3524             goto out;
3525         }
3526
3527         for (j = 0; j < template[i].loops; j++) {
3528             err = crypto_rng_get_bytes(tfm, result,
3529                            template[i].rlen);
3530             if (err < 0) {
3531                 printk(KERN_ERR "alg: cprng: Failed to obtain "
3532                        "the correct amount of random data for "
3533                        "%s (requested %d)\n", algo,
3534                        template[i].rlen);
3535                 goto out;
3536             }
3537         }
3538
3539         err = memcmp(result, template[i].result,
3540                  template[i].rlen);
3541         if (err) {
3542             printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
3543                    i, algo);
3544             hexdump(result, template[i].rlen);
3545             err = -EINVAL;
3546             goto out;
3547         }
3548     }
3549
3550 out:
3551     kfree(seed);
3552     return err;
3553 }
3554
3555 static int alg_test_cipher(const struct alg_test_desc *desc,
3556                const char *driver, u32 type, u32 mask)
3557 {
3558     const struct cipher_test_suite *suite = &desc->suite.cipher;
3559     struct crypto_cipher *tfm;
3560     int err;
3561
3562     tfm = crypto_alloc_cipher(driver, type, mask);
3563     if (IS_ERR(tfm)) {
3564         printk(KERN_ERR "alg: cipher: Failed to load transform for "
3565                "%s: %ld\n", driver, PTR_ERR(tfm));
3566         return PTR_ERR(tfm);
3567     }
3568
3569     err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count);
3570     if (!err)
3571         err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count);
3572
3573     crypto_free_cipher(tfm);
3574     return err;
3575 }
3576
3577 static int alg_test_comp(const struct alg_test_desc *desc, const char *driver,
3578              u32 type, u32 mask)
3579 {
3580     struct crypto_comp *comp;
3581     struct crypto_acomp *acomp;
3582     int err;
3583     u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK;
3584
3585     if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) {
3586         acomp = crypto_alloc_acomp(driver, type, mask);
3587         if (IS_ERR(acomp)) {
3588             pr_err("alg: acomp: Failed to load transform for %s: %ld\n",
3589                    driver, PTR_ERR(acomp));
3590             return PTR_ERR(acomp);
3591         }
3592         err = test_acomp(acomp, desc->suite.comp.comp.vecs,
3593                  desc->suite.comp.decomp.vecs,
3594                  desc->suite.comp.comp.count,
3595                  desc->suite.comp.decomp.count);
3596         crypto_free_acomp(acomp);
3597     } else {
3598         comp = crypto_alloc_comp(driver, type, mask);
3599         if (IS_ERR(comp)) {
3600             pr_err("alg: comp: Failed to load transform for %s: %ld\n",
3601                    driver, PTR_ERR(comp));
3602             return PTR_ERR(comp);
3603         }
3604
3605         err = test_comp(comp, desc->suite.comp.comp.vecs,
3606                 desc->suite.comp.decomp.vecs,
3607                 desc->suite.comp.comp.count,
3608                 desc->suite.comp.decomp.count);
3609
3610         crypto_free_comp(comp);
3611     }
3612     return err;
3613 }
3614
3615 static int alg_test_crc32c(const struct alg_test_desc *desc,
3616                const char *driver, u32 type, u32 mask)
3617 {
3618     struct crypto_shash *tfm;
3619     __le32 val;
3620     int err;
3621
3622     err = alg_test_hash(desc, driver, type, mask);
3623     if (err)
3624         return err;
3625
3626     tfm = crypto_alloc_shash(driver, type, mask);
3627     if (IS_ERR(tfm)) {
3628         if (PTR_ERR(tfm) == -ENOENT) {
3629             /*
3630              * This crc32c implementation is only available through
3631              * ahash API, not the shash API, so the remaining part
3632              * of the test is not applicable to it.
3633              */
3634             return 0;
3635         }
3636         printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
3637                "%ld\n", driver, PTR_ERR(tfm));
3638         return PTR_ERR(tfm);
3639     }
3640     driver = crypto_shash_driver_name(tfm);
3641
3642     do {
3643         SHASH_DESC_ON_STACK(shash, tfm);
3644         u32 *ctx = (u32 *)shash_desc_ctx(shash);
3645
3646         shash->tfm = tfm;
3647
3648         *ctx = 420553207;
3649         err = crypto_shash_final(shash, (u8 *)&val);
3650         if (err) {
3651             printk(KERN_ERR "alg: crc32c: Operation failed for "
3652                    "%s: %d\n", driver, err);
3653             break;
3654         }
3655
3656         if (val != cpu_to_le32(~420553207)) {
3657             pr_err("alg: crc32c: Test failed for %s: %u\n",
3658                    driver, le32_to_cpu(val));
3659             err = -EINVAL;
3660         }
3661     } while (0);
3662
3663     crypto_free_shash(tfm);
3664
3665     return err;
3666 }
3667
3668 static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
3669               u32 type, u32 mask)
3670 {
3671     struct crypto_rng *rng;
3672     int err;
3673
3674     rng = crypto_alloc_rng(driver, type, mask);
3675     if (IS_ERR(rng)) {
3676         printk(KERN_ERR "alg: cprng: Failed to load transform for %s: "
3677                "%ld\n", driver, PTR_ERR(rng));
3678         return PTR_ERR(rng);
3679     }
3680
3681     err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count);
3682
3683     crypto_free_rng(rng);
3684
3685     return err;
3686 }
3687
3688
3689 static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
3690               const char *driver, u32 type, u32 mask)
3691 {
3692     int ret = -EAGAIN;
3693     struct crypto_rng *drng;
3694     struct drbg_test_data test_data;
3695     struct drbg_string addtl, pers, testentropy;
3696     unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);
3697
3698     if (!buf)
3699         return -ENOMEM;
3700
3701     drng = crypto_alloc_rng(driver, type, mask);
3702     if (IS_ERR(drng)) {
3703         printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
3704                "%s\n", driver);
3705         kfree_sensitive(buf);
3706         return -ENOMEM;
3707     }
3708
3709     test_data.testentropy = &testentropy;
3710     drbg_string_fill(&testentropy, test->entropy, test->entropylen);
3711     drbg_string_fill(&pers, test->pers, test->perslen);
3712     ret = crypto_drbg_reset_test(drng, &pers, &test_data);
3713     if (ret) {
3714         printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
3715         goto outbuf;
3716     }
3717
3718     drbg_string_fill(&addtl, test->addtla, test->addtllen);
3719     if (pr) {
3720         drbg_string_fill(&testentropy, test->entpra, test->entprlen);
3721         ret = crypto_drbg_get_bytes_addtl_test(drng,
3722             buf, test->expectedlen, &addtl, &test_data);
3723     } else {
3724         ret = crypto_drbg_get_bytes_addtl(drng,
3725             buf, test->expectedlen, &addtl);
3726     }
3727     if (ret < 0) {
3728         printk(KERN_ERR "alg: drbg: could not obtain random data for "
3729                "driver %s\n", driver);
3730         goto outbuf;
3731     }
3732
3733     drbg_string_fill(&addtl, test->addtlb, test->addtllen);
3734     if (pr) {
3735         drbg_string_fill(&testentropy, test->entprb, test->entprlen);
3736         ret = crypto_drbg_get_bytes_addtl_test(drng,
3737             buf, test->expectedlen, &addtl, &test_data);
3738     } else {
3739         ret = crypto_drbg_get_bytes_addtl(drng,
3740             buf, test->expectedlen, &addtl);
3741     }
3742     if (ret < 0) {
3743         printk(KERN_ERR "alg: drbg: could not obtain random data for "
3744                "driver %s\n", driver);
3745         goto outbuf;
3746     }
3747
3748     ret = memcmp(test->expected, buf, test->expectedlen);
3749
3750 outbuf:
3751     crypto_free_rng(drng);
3752     kfree_sensitive(buf);
3753     return ret;
3754 }
3755
3756
3757 static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
3758              u32 type, u32 mask)
3759 {
3760     int err = 0;
3761     int pr = 0;
3762     int i = 0;
3763     const struct drbg_testvec *template = desc->suite.drbg.vecs;
3764     unsigned int tcount = desc->suite.drbg.count;
3765
3766     if (0 == memcmp(driver, "drbg_pr_", 8))
3767         pr = 1;
3768
3769     for (i = 0; i < tcount; i++) {
3770         err = drbg_cavs_test(&template[i], pr, driver, type, mask);
3771         if (err) {
3772             printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
3773                    i, driver);
3774             err = -EINVAL;
3775             break;
3776         }
3777     }
3778     return err;
3779
3780 }
3781
3782 static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec,
3783                const char *alg)
3784 {
3785     struct kpp_request *req;
3786     void *input_buf = NULL;
3787     void *output_buf = NULL;
3788     void *a_public = NULL;
3789     void *a_ss = NULL;
3790     void *shared_secret = NULL;
3791     struct crypto_wait wait;
3792     unsigned int out_len_max;
3793     int err = -ENOMEM;
3794     struct scatterlist src, dst;
3795
3796     req = kpp_request_alloc(tfm, GFP_KERNEL);
3797     if (!req)
3798         return err;
3799
3800     crypto_init_wait(&wait);
3801
3802     err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size);
3803     if (err < 0)
3804         goto free_req;
3805
3806     out_len_max = crypto_kpp_maxsize(tfm);
3807     output_buf = kzalloc(out_len_max, GFP_KERNEL);
3808     if (!output_buf) {
3809         err = -ENOMEM;
3810         goto free_req;
3811     }
3812
3813     /* Use appropriate parameter as base */
3814     kpp_request_set_input(req, NULL, 0);
3815     sg_init_one(&dst, output_buf, out_len_max);
3816     kpp_request_set_output(req, &dst, out_len_max);
3817     kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3818                  crypto_req_done, &wait);
3819
3820     /* Compute party A's public key */
3821     err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
3822     if (err) {
3823         pr_err("alg: %s: Party A: generate public key test failed. err %d\n",
3824                alg, err);
3825         goto free_output;
3826     }
3827
3828     if (vec->genkey) {
3829         /* Save party A's public key */
3830         a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL);
3831         if (!a_public) {
3832             err = -ENOMEM;
3833             goto free_output;
3834         }
3835     } else {
3836         /* Verify calculated public key */
3837         if (memcmp(vec->expected_a_public, sg_virt(req->dst),
3838                vec->expected_a_public_size)) {
3839             pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n",
3840                    alg);
3841             err = -EINVAL;
3842             goto free_output;
3843         }
3844     }
3845
3846     /* Calculate shared secret key by using counter part (b) public key. */
3847     input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL);
3848     if (!input_buf) {
3849         err = -ENOMEM;
3850         goto free_output;
3851     }
3852
3853     sg_init_one(&src, input_buf, vec->b_public_size);
3854     sg_init_one(&dst, output_buf, out_len_max);
3855     kpp_request_set_input(req, &src, vec->b_public_size);
3856     kpp_request_set_output(req, &dst, out_len_max);
3857     kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3858                  crypto_req_done, &wait);
3859     err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
3860     if (err) {
3861         pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n",
3862                alg, err);
3863         goto free_all;
3864     }
3865
3866     if (vec->genkey) {
3867         /* Save the shared secret obtained by party A */
3868         a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL);
3869         if (!a_ss) {
3870             err = -ENOMEM;
3871             goto free_all;
3872         }
3873
3874         /*
3875          * Calculate party B's shared secret by using party A's
3876          * public key.
3877          */
3878         err = crypto_kpp_set_secret(tfm, vec->b_secret,
3879                         vec->b_secret_size);
3880         if (err < 0)
3881             goto free_all;
3882
3883         sg_init_one(&src, a_public, vec->expected_a_public_size);
3884         sg_init_one(&dst, output_buf, out_len_max);
3885         kpp_request_set_input(req, &src, vec->expected_a_public_size);
3886         kpp_request_set_output(req, &dst, out_len_max);
3887         kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3888                      crypto_req_done, &wait);
3889         err = crypto_wait_req(crypto_kpp_compute_shared_secret(req),
3890                       &wait);
3891         if (err) {
3892             pr_err("alg: %s: Party B: compute shared secret failed. err %d\n",
3893                    alg, err);
3894             goto free_all;
3895         }
3896
3897         shared_secret = a_ss;
3898     } else {
3899         shared_secret = (void *)vec->expected_ss;
3900     }
3901
3902     /*
3903      * verify shared secret from which the user will derive
3904      * secret key by executing whatever hash it has chosen
3905      */
3906     if (memcmp(shared_secret, sg_virt(req->dst),
3907            vec->expected_ss_size)) {
3908         pr_err("alg: %s: compute shared secret test failed. Invalid output\n",
3909                alg);
3910         err = -EINVAL;
3911     }
3912
3913 free_all:
3914     kfree(a_ss);
3915     kfree(input_buf);
3916 free_output:
3917     kfree(a_public);
3918     kfree(output_buf);
3919 free_req:
3920     kpp_request_free(req);
3921     return err;
3922 }
3923
3924 static int test_kpp(struct crypto_kpp *tfm, const char *alg,
3925             const struct kpp_testvec *vecs, unsigned int tcount)
3926 {
3927     int ret, i;
3928
3929     for (i = 0; i < tcount; i++) {
3930         ret = do_test_kpp(tfm, vecs++, alg);
3931         if (ret) {
3932             pr_err("alg: %s: test failed on vector %d, err=%d\n",
3933                    alg, i + 1, ret);
3934             return ret;
3935         }
3936     }
3937     return 0;
3938 }
3939
3940 static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver,
3941             u32 type, u32 mask)
3942 {
3943     struct crypto_kpp *tfm;
3944     int err = 0;
3945
3946     tfm = crypto_alloc_kpp(driver, type, mask);
3947     if (IS_ERR(tfm)) {
3948         pr_err("alg: kpp: Failed to load tfm for %s: %ld\n",
3949                driver, PTR_ERR(tfm));
3950         return PTR_ERR(tfm);
3951     }
3952     if (desc->suite.kpp.vecs)
3953         err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs,
3954                    desc->suite.kpp.count);
3955
3956     crypto_free_kpp(tfm);
3957     return err;
3958 }
3959
3960 static u8 *test_pack_u32(u8 *dst, u32 val)
3961 {
3962     memcpy(dst, &val, sizeof(val));
3963     return dst + sizeof(val);
3964 }
3965
3966 static int test_akcipher_one(struct crypto_akcipher *tfm,
3967                  const struct akcipher_testvec *vecs)
3968 {
3969     char *xbuf[XBUFSIZE];
3970     struct akcipher_request *req;
3971     void *outbuf_enc = NULL;
3972     void *outbuf_dec = NULL;
3973     struct crypto_wait wait;
3974     unsigned int out_len_max, out_len = 0;
3975     int err = -ENOMEM;
3976     struct scatterlist src, dst, src_tab[3];
3977     const char *m, *c;
3978     unsigned int m_size, c_size;
3979     const char *op;
3980     u8 *key, *ptr;
3981
3982     if (testmgr_alloc_buf(xbuf))
3983         return err;
3984
3985     req = akcipher_request_alloc(tfm, GFP_KERNEL);
3986     if (!req)
3987         goto free_xbuf;
3988
3989     crypto_init_wait(&wait);
3990
3991     key = kmalloc(vecs->key_len + sizeof(u32) * 2 + vecs->param_len,
3992               GFP_KERNEL);
3993     if (!key)
3994         goto free_req;
3995     memcpy(key, vecs->key, vecs->key_len);
3996     ptr = key + vecs->key_len;
3997     ptr = test_pack_u32(ptr, vecs->algo);
3998     ptr = test_pack_u32(ptr, vecs->param_len);
3999     memcpy(ptr, vecs->params, vecs->param_len);
4000
4001     if (vecs->public_key_vec)
4002         err = crypto_akcipher_set_pub_key(tfm, key, vecs->key_len);
4003     else
4004         err = crypto_akcipher_set_priv_key(tfm, key, vecs->key_len);
4005     if (err)
4006         goto free_key;
4007
4008     /*
4009      * First run test which do not require a private key, such as
4010      * encrypt or verify.
4011      */
4012     err = -ENOMEM;
4013     out_len_max = crypto_akcipher_maxsize(tfm);
4014     outbuf_enc = kzalloc(out_len_max, GFP_KERNEL);
4015     if (!outbuf_enc)
4016         goto free_key;
4017
4018     if (!vecs->siggen_sigver_test) {
4019         m = vecs->m;
4020         m_size = vecs->m_size;
4021         c = vecs->c;
4022         c_size = vecs->c_size;
4023         op = "encrypt";
4024     } else {
4025         /* Swap args so we could keep plaintext (digest)
4026          * in vecs->m, and cooked signature in vecs->c.
4027          */
4028         m = vecs->c; /* signature */
4029         m_size = vecs->c_size;
4030         c = vecs->m; /* digest */
4031         c_size = vecs->m_size;
4032         op = "verify";
4033     }
4034
4035     err = -E2BIG;
4036     if (WARN_ON(m_size > PAGE_SIZE))
4037         goto free_all;
4038     memcpy(xbuf[0], m, m_size);
4039
4040     sg_init_table(src_tab, 3);
4041     sg_set_buf(&src_tab[0], xbuf[0], 8);
4042     sg_set_buf(&src_tab[1], xbuf[0] + 8, m_size - 8);
4043     if (vecs->siggen_sigver_test) {
4044         if (WARN_ON(c_size > PAGE_SIZE))
4045             goto free_all;
4046         memcpy(xbuf[1], c, c_size);
4047         sg_set_buf(&src_tab[2], xbuf[1], c_size);
4048         akcipher_request_set_crypt(req, src_tab, NULL, m_size, c_size);
4049     } else {
4050         sg_init_one(&dst, outbuf_enc, out_len_max);
4051         akcipher_request_set_crypt(req, src_tab, &dst, m_size,
4052                        out_len_max);
4053     }
4054     akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4055                       crypto_req_done, &wait);
4056
4057     err = crypto_wait_req(vecs->siggen_sigver_test ?
4058                   /* Run asymmetric signature verification */
4059                   crypto_akcipher_verify(req) :
4060                   /* Run asymmetric encrypt */
4061                   crypto_akcipher_encrypt(req), &wait);
4062     if (err) {
4063         pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4064         goto free_all;
4065     }
4066     if (!vecs->siggen_sigver_test && c) {
4067         if (req->dst_len != c_size) {
4068             pr_err("alg: akcipher: %s test failed. Invalid output len\n",
4069                    op);
4070             err = -EINVAL;
4071             goto free_all;
4072         }
4073         /* verify that encrypted message is equal to expected */
4074         if (memcmp(c, outbuf_enc, c_size) != 0) {
4075             pr_err("alg: akcipher: %s test failed. Invalid output\n",
4076                    op);
4077             hexdump(outbuf_enc, c_size);
4078             err = -EINVAL;
4079             goto free_all;
4080         }
4081     }
4082
4083     /*
4084      * Don't invoke (decrypt or sign) test which require a private key
4085      * for vectors with only a public key.
4086      */
4087     if (vecs->public_key_vec) {
4088         err = 0;
4089         goto free_all;
4090     }
4091     outbuf_dec = kzalloc(out_len_max, GFP_KERNEL);
4092     if (!outbuf_dec) {
4093         err = -ENOMEM;
4094         goto free_all;
4095     }
4096
4097     if (!vecs->siggen_sigver_test && !c) {
4098         c = outbuf_enc;
4099         c_size = req->dst_len;
4100     }
4101
4102     err = -E2BIG;
4103     op = vecs->siggen_sigver_test ? "sign" : "decrypt";
4104     if (WARN_ON(c_size > PAGE_SIZE))
4105         goto free_all;
4106     memcpy(xbuf[0], c, c_size);
4107
4108     sg_init_one(&src, xbuf[0], c_size);
4109     sg_init_one(&dst, outbuf_dec, out_len_max);
4110     crypto_init_wait(&wait);
4111     akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max);
4112
4113     err = crypto_wait_req(vecs->siggen_sigver_test ?
4114                   /* Run asymmetric signature generation */
4115                   crypto_akcipher_sign(req) :
4116                   /* Run asymmetric decrypt */
4117                   crypto_akcipher_decrypt(req), &wait);
4118     if (err) {
4119         pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4120         goto free_all;
4121     }
4122     out_len = req->dst_len;
4123     if (out_len < m_size) {
4124         pr_err("alg: akcipher: %s test failed. Invalid output len %u\n",
4125                op, out_len);
4126         err = -EINVAL;
4127         goto free_all;
4128     }
4129     /* verify that decrypted message is equal to the original msg */
4130     if (memchr_inv(outbuf_dec, 0, out_len - m_size) ||
4131         memcmp(m, outbuf_dec + out_len - m_size, m_size)) {
4132         pr_err("alg: akcipher: %s test failed. Invalid output\n", op);
4133         hexdump(outbuf_dec, out_len);
4134         err = -EINVAL;
4135     }
4136 free_all:
4137     kfree(outbuf_dec);
4138     kfree(outbuf_enc);
4139 free_key:
4140     kfree(key);
4141 free_req:
4142     akcipher_request_free(req);
4143 free_xbuf:
4144     testmgr_free_buf(xbuf);
4145     return err;
4146 }
4147
4148 static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
4149              const struct akcipher_testvec *vecs,
4150              unsigned int tcount)
4151 {
4152     const char *algo =
4153         crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm));
4154     int ret, i;
4155
4156     for (i = 0; i < tcount; i++) {
4157         ret = test_akcipher_one(tfm, vecs++);
4158         if (!ret)
4159             continue;
4160
4161         pr_err("alg: akcipher: test %d failed for %s, err=%d\n",
4162                i + 1, algo, ret);
4163         return ret;
4164     }
4165     return 0;
4166 }
4167
4168 static int alg_test_akcipher(const struct alg_test_desc *desc,
4169                  const char *driver, u32 type, u32 mask)
4170 {
4171     struct crypto_akcipher *tfm;
4172     int err = 0;
4173
4174     tfm = crypto_alloc_akcipher(driver, type, mask);
4175     if (IS_ERR(tfm)) {
4176         pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n",
4177                driver, PTR_ERR(tfm));
4178         return PTR_ERR(tfm);
4179     }
4180     if (desc->suite.akcipher.vecs)
4181         err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
4182                     desc->suite.akcipher.count);
4183
4184     crypto_free_akcipher(tfm);
4185     return err;
4186 }
4187
4188 static int alg_test_null(const struct alg_test_desc *desc,
4189                  const char *driver, u32 type, u32 mask)
4190 {
4191     return 0;
4192 }
4193
4194 #define ____VECS(tv)    .vecs = tv, .count = ARRAY_SIZE(tv)
4195 #define __VECS(tv)  { ____VECS(tv) }
4196
4197 /* Please keep this list sorted by algorithm name. */
4198 static const struct alg_test_desc alg_test_descs[] = {
4199     {
4200         .alg = "adiantum(xchacha12,aes)",
4201         .generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)",
4202         .test = alg_test_skcipher,
4203         .suite = {
4204             .cipher = __VECS(adiantum_xchacha12_aes_tv_template)
4205         },
4206     }, {
4207         .alg = "adiantum(xchacha20,aes)",
4208         .generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)",
4209         .test = alg_test_skcipher,
4210         .suite = {
4211             .cipher = __VECS(adiantum_xchacha20_aes_tv_template)
4212         },
4213     }, {
4214         .alg = "aegis128",
4215         .test = alg_test_aead,
4216         .suite = {
4217             .aead = __VECS(aegis128_tv_template)
4218         }
4219     }, {
4220         .alg = "ansi_cprng",
4221         .test = alg_test_cprng,
4222         .suite = {
4223             .cprng = __VECS(ansi_cprng_aes_tv_template)
4224         }
4225     }, {
4226         .alg = "authenc(hmac(md5),ecb(cipher_null))",
4227         .test = alg_test_aead,
4228         .suite = {
4229             .aead = __VECS(hmac_md5_ecb_cipher_null_tv_template)
4230         }
4231     }, {
4232         .alg = "authenc(hmac(sha1),cbc(aes))",
4233         .test = alg_test_aead,
4234         .fips_allowed = 1,
4235         .suite = {
4236             .aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
4237         }
4238     }, {
4239         .alg = "authenc(hmac(sha1),cbc(des))",
4240         .test = alg_test_aead,
4241         .suite = {
4242             .aead = __VECS(hmac_sha1_des_cbc_tv_temp)
4243         }
4244     }, {
4245         .alg = "authenc(hmac(sha1),cbc(des3_ede))",
4246         .test = alg_test_aead,
4247         .suite = {
4248             .aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp)
4249         }
4250     }, {
4251         .alg = "authenc(hmac(sha1),ctr(aes))",
4252         .test = alg_test_null,
4253         .fips_allowed = 1,
4254     }, {
4255         .alg = "authenc(hmac(sha1),ecb(cipher_null))",
4256         .test = alg_test_aead,
4257         .suite = {
4258             .aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp)
4259         }
4260     }, {
4261         .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
4262         .test = alg_test_null,
4263         .fips_allowed = 1,
4264     }, {
4265         .alg = "authenc(hmac(sha224),cbc(des))",
4266         .test = alg_test_aead,
4267         .suite = {
4268             .aead = __VECS(hmac_sha224_des_cbc_tv_temp)
4269         }
4270     }, {
4271         .alg = "authenc(hmac(sha224),cbc(des3_ede))",
4272         .test = alg_test_aead,
4273         .suite = {
4274             .aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp)
4275         }
4276     }, {
4277         .alg = "authenc(hmac(sha256),cbc(aes))",
4278         .test = alg_test_aead,
4279         .fips_allowed = 1,
4280         .suite = {
4281             .aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
4282         }
4283     }, {
4284         .alg = "authenc(hmac(sha256),cbc(des))",
4285         .test = alg_test_aead,
4286         .suite = {
4287             .aead = __VECS(hmac_sha256_des_cbc_tv_temp)
4288         }
4289     }, {
4290         .alg = "authenc(hmac(sha256),cbc(des3_ede))",
4291         .test = alg_test_aead,
4292         .suite = {
4293             .aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp)
4294         }
4295     }, {
4296         .alg = "authenc(hmac(sha256),ctr(aes))",
4297         .test = alg_test_null,
4298         .fips_allowed = 1,
4299     }, {
4300         .alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
4301         .test = alg_test_null,
4302         .fips_allowed = 1,
4303     }, {
4304         .alg = "authenc(hmac(sha384),cbc(des))",
4305         .test = alg_test_aead,
4306         .suite = {
4307             .aead = __VECS(hmac_sha384_des_cbc_tv_temp)
4308         }
4309     }, {
4310         .alg = "authenc(hmac(sha384),cbc(des3_ede))",
4311         .test = alg_test_aead,
4312         .suite = {
4313             .aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp)
4314         }
4315     }, {
4316         .alg = "authenc(hmac(sha384),ctr(aes))",
4317         .test = alg_test_null,
4318         .fips_allowed = 1,
4319     }, {
4320         .alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
4321         .test = alg_test_null,
4322         .fips_allowed = 1,
4323     }, {
4324         .alg = "authenc(hmac(sha512),cbc(aes))",
4325         .fips_allowed = 1,
4326         .test = alg_test_aead,
4327         .suite = {
4328             .aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
4329         }
4330     }, {
4331         .alg = "authenc(hmac(sha512),cbc(des))",
4332         .test = alg_test_aead,
4333         .suite = {
4334             .aead = __VECS(hmac_sha512_des_cbc_tv_temp)
4335         }
4336     }, {
4337         .alg = "authenc(hmac(sha512),cbc(des3_ede))",
4338         .test = alg_test_aead,
4339         .suite = {
4340             .aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp)
4341         }
4342     }, {
4343         .alg = "authenc(hmac(sha512),ctr(aes))",
4344         .test = alg_test_null,
4345         .fips_allowed = 1,
4346     }, {
4347         .alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
4348         .test = alg_test_null,
4349         .fips_allowed = 1,
4350     }, {
4351         .alg = "blake2b-160",
4352         .test = alg_test_hash,
4353         .fips_allowed = 0,
4354         .suite = {
4355             .hash = __VECS(blake2b_160_tv_template)
4356         }
4357     }, {
4358         .alg = "blake2b-256",
4359         .test = alg_test_hash,
4360         .fips_allowed = 0,
4361         .suite = {
4362             .hash = __VECS(blake2b_256_tv_template)
4363         }
4364     }, {
4365         .alg = "blake2b-384",
4366         .test = alg_test_hash,
4367         .fips_allowed = 0,
4368         .suite = {
4369             .hash = __VECS(blake2b_384_tv_template)
4370         }
4371     }, {
4372         .alg = "blake2b-512",
4373         .test = alg_test_hash,
4374         .fips_allowed = 0,
4375         .suite = {
4376             .hash = __VECS(blake2b_512_tv_template)
4377         }
4378     }, {
4379         .alg = "cbc(aes)",
4380         .test = alg_test_skcipher,
4381         .fips_allowed = 1,
4382         .suite = {
4383             .cipher = __VECS(aes_cbc_tv_template)
4384         },
4385     }, {
4386         .alg = "cbc(anubis)",
4387         .test = alg_test_skcipher,
4388         .suite = {
4389             .cipher = __VECS(anubis_cbc_tv_template)
4390         },
4391     }, {
4392         .alg = "cbc(aria)",
4393         .test = alg_test_skcipher,
4394         .suite = {
4395             .cipher = __VECS(aria_cbc_tv_template)
4396         },
4397     }, {
4398         .alg = "cbc(blowfish)",
4399         .test = alg_test_skcipher,
4400         .suite = {
4401             .cipher = __VECS(bf_cbc_tv_template)
4402         },
4403     }, {
4404         .alg = "cbc(camellia)",
4405         .test = alg_test_skcipher,
4406         .suite = {
4407             .cipher = __VECS(camellia_cbc_tv_template)
4408         },
4409     }, {
4410         .alg = "cbc(cast5)",
4411         .test = alg_test_skcipher,
4412         .suite = {
4413             .cipher = __VECS(cast5_cbc_tv_template)
4414         },
4415     }, {
4416         .alg = "cbc(cast6)",
4417         .test = alg_test_skcipher,
4418         .suite = {
4419             .cipher = __VECS(cast6_cbc_tv_template)
4420         },
4421     }, {
4422         .alg = "cbc(des)",
4423         .test = alg_test_skcipher,
4424         .suite = {
4425             .cipher = __VECS(des_cbc_tv_template)
4426         },
4427     }, {
4428         .alg = "cbc(des3_ede)",
4429         .test = alg_test_skcipher,
4430         .suite = {
4431             .cipher = __VECS(des3_ede_cbc_tv_template)
4432         },
4433     }, {
4434         /* Same as cbc(aes) except the key is stored in
4435          * hardware secure memory which we reference by index
4436          */
4437         .alg = "cbc(paes)",
4438         .test = alg_test_null,
4439         .fips_allowed = 1,
4440     }, {
4441         /* Same as cbc(sm4) except the key is stored in
4442          * hardware secure memory which we reference by index
4443          */
4444         .alg = "cbc(psm4)",
4445         .test = alg_test_null,
4446     }, {
4447         .alg = "cbc(serpent)",
4448         .test = alg_test_skcipher,
4449         .suite = {
4450             .cipher = __VECS(serpent_cbc_tv_template)
4451         },
4452     }, {
4453         .alg = "cbc(sm4)",
4454         .test = alg_test_skcipher,
4455         .suite = {
4456             .cipher = __VECS(sm4_cbc_tv_template)
4457         }
4458     }, {
4459         .alg = "cbc(twofish)",
4460         .test = alg_test_skcipher,
4461         .suite = {
4462             .cipher = __VECS(tf_cbc_tv_template)
4463         },
4464     }, {
4465 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4466         .alg = "cbc-paes-s390",
4467         .fips_allowed = 1,
4468         .test = alg_test_skcipher,
4469         .suite = {
4470             .cipher = __VECS(aes_cbc_tv_template)
4471         }
4472     }, {
4473 #endif
4474         .alg = "cbcmac(aes)",
4475         .fips_allowed = 1,
4476         .test = alg_test_hash,
4477         .suite = {
4478             .hash = __VECS(aes_cbcmac_tv_template)
4479         }
4480     }, {
4481         .alg = "cbcmac(sm4)",
4482         .test = alg_test_hash,
4483         .suite = {
4484             .hash = __VECS(sm4_cbcmac_tv_template)
4485         }
4486     }, {
4487         .alg = "ccm(aes)",
4488         .generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
4489         .test = alg_test_aead,
4490         .fips_allowed = 1,
4491         .suite = {
4492             .aead = {
4493                 ____VECS(aes_ccm_tv_template),
4494                 .einval_allowed = 1,
4495             }
4496         }
4497     }, {
4498         .alg = "ccm(sm4)",
4499         .generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))",
4500         .test = alg_test_aead,
4501         .suite = {
4502             .aead = {
4503                 ____VECS(sm4_ccm_tv_template),
4504                 .einval_allowed = 1,
4505             }
4506         }
4507     }, {
4508         .alg = "cfb(aes)",
4509         .test = alg_test_skcipher,
4510         .fips_allowed = 1,
4511         .suite = {
4512             .cipher = __VECS(aes_cfb_tv_template)
4513         },
4514     }, {
4515         .alg = "cfb(aria)",
4516         .test = alg_test_skcipher,
4517         .suite = {
4518             .cipher = __VECS(aria_cfb_tv_template)
4519         },
4520     }, {
4521         .alg = "cfb(sm4)",
4522         .test = alg_test_skcipher,
4523         .suite = {
4524             .cipher = __VECS(sm4_cfb_tv_template)
4525         }
4526     }, {
4527         .alg = "chacha20",
4528         .test = alg_test_skcipher,
4529         .suite = {
4530             .cipher = __VECS(chacha20_tv_template)
4531         },
4532     }, {
4533         .alg = "cmac(aes)",
4534         .fips_allowed = 1,
4535         .test = alg_test_hash,
4536         .suite = {
4537             .hash = __VECS(aes_cmac128_tv_template)
4538         }
4539     }, {
4540         .alg = "cmac(des3_ede)",
4541         .test = alg_test_hash,
4542         .suite = {
4543             .hash = __VECS(des3_ede_cmac64_tv_template)
4544         }
4545     }, {
4546         .alg = "cmac(sm4)",
4547         .test = alg_test_hash,
4548         .suite = {
4549             .hash = __VECS(sm4_cmac128_tv_template)
4550         }
4551     }, {
4552         .alg = "compress_null",
4553         .test = alg_test_null,
4554     }, {
4555         .alg = "crc32",
4556         .test = alg_test_hash,
4557         .fips_allowed = 1,
4558         .suite = {
4559             .hash = __VECS(crc32_tv_template)
4560         }
4561     }, {
4562         .alg = "crc32c",
4563         .test = alg_test_crc32c,
4564         .fips_allowed = 1,
4565         .suite = {
4566             .hash = __VECS(crc32c_tv_template)
4567         }
4568     }, {
4569         .alg = "crc64-rocksoft",
4570         .test = alg_test_hash,
4571         .fips_allowed = 1,
4572         .suite = {
4573             .hash = __VECS(crc64_rocksoft_tv_template)
4574         }
4575     }, {
4576         .alg = "crct10dif",
4577         .test = alg_test_hash,
4578         .fips_allowed = 1,
4579         .suite = {
4580             .hash = __VECS(crct10dif_tv_template)
4581         }
4582     }, {
4583         .alg = "ctr(aes)",
4584         .test = alg_test_skcipher,
4585         .fips_allowed = 1,
4586         .suite = {
4587             .cipher = __VECS(aes_ctr_tv_template)
4588         }
4589     }, {
4590         .alg = "ctr(aria)",
4591         .test = alg_test_skcipher,
4592         .suite = {
4593             .cipher = __VECS(aria_ctr_tv_template)
4594         }
4595     }, {
4596         .alg = "ctr(blowfish)",
4597         .test = alg_test_skcipher,
4598         .suite = {
4599             .cipher = __VECS(bf_ctr_tv_template)
4600         }
4601     }, {
4602         .alg = "ctr(camellia)",
4603         .test = alg_test_skcipher,
4604         .suite = {
4605             .cipher = __VECS(camellia_ctr_tv_template)
4606         }
4607     }, {
4608         .alg = "ctr(cast5)",
4609         .test = alg_test_skcipher,
4610         .suite = {
4611             .cipher = __VECS(cast5_ctr_tv_template)
4612         }
4613     }, {
4614         .alg = "ctr(cast6)",
4615         .test = alg_test_skcipher,
4616         .suite = {
4617             .cipher = __VECS(cast6_ctr_tv_template)
4618         }
4619     }, {
4620         .alg = "ctr(des)",
4621         .test = alg_test_skcipher,
4622         .suite = {
4623             .cipher = __VECS(des_ctr_tv_template)
4624         }
4625     }, {
4626         .alg = "ctr(des3_ede)",
4627         .test = alg_test_skcipher,
4628         .suite = {
4629             .cipher = __VECS(des3_ede_ctr_tv_template)
4630         }
4631     }, {
4632         /* Same as ctr(aes) except the key is stored in
4633          * hardware secure memory which we reference by index
4634          */
4635         .alg = "ctr(paes)",
4636         .test = alg_test_null,
4637         .fips_allowed = 1,
4638     }, {
4639
4640         /* Same as ctr(sm4) except the key is stored in
4641          * hardware secure memory which we reference by index
4642          */
4643         .alg = "ctr(psm4)",
4644         .test = alg_test_null,
4645     }, {
4646         .alg = "ctr(serpent)",
4647         .test = alg_test_skcipher,
4648         .suite = {
4649             .cipher = __VECS(serpent_ctr_tv_template)
4650         }
4651     }, {
4652         .alg = "ctr(sm4)",
4653         .test = alg_test_skcipher,
4654         .suite = {
4655             .cipher = __VECS(sm4_ctr_tv_template)
4656         }
4657     }, {
4658         .alg = "ctr(twofish)",
4659         .test = alg_test_skcipher,
4660         .suite = {
4661             .cipher = __VECS(tf_ctr_tv_template)
4662         }
4663     }, {
4664 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4665         .alg = "ctr-paes-s390",
4666         .fips_allowed = 1,
4667         .test = alg_test_skcipher,
4668         .suite = {
4669             .cipher = __VECS(aes_ctr_tv_template)
4670         }
4671     }, {
4672 #endif
4673         .alg = "cts(cbc(aes))",
4674         .test = alg_test_skcipher,
4675         .fips_allowed = 1,
4676         .suite = {
4677             .cipher = __VECS(cts_mode_tv_template)
4678         }
4679     }, {
4680         /* Same as cts(cbc((aes)) except the key is stored in
4681          * hardware secure memory which we reference by index
4682          */
4683         .alg = "cts(cbc(paes))",
4684         .test = alg_test_null,
4685         .fips_allowed = 1,
4686     }, {
4687         .alg = "curve25519",
4688         .test = alg_test_kpp,
4689         .suite = {
4690             .kpp = __VECS(curve25519_tv_template)
4691         }
4692     }, {
4693         .alg = "deflate",
4694         .test = alg_test_comp,
4695         .fips_allowed = 1,
4696         .suite = {
4697             .comp = {
4698                 .comp = __VECS(deflate_comp_tv_template),
4699                 .decomp = __VECS(deflate_decomp_tv_template)
4700             }
4701         }
4702     }, {
4703         .alg = "dh",
4704         .test = alg_test_kpp,
4705         .suite = {
4706             .kpp = __VECS(dh_tv_template)
4707         }
4708     }, {
4709         .alg = "digest_null",
4710         .test = alg_test_null,
4711     }, {
4712         .alg = "drbg_nopr_ctr_aes128",
4713         .test = alg_test_drbg,
4714         .fips_allowed = 1,
4715         .suite = {
4716             .drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
4717         }
4718     }, {
4719         .alg = "drbg_nopr_ctr_aes192",
4720         .test = alg_test_drbg,
4721         .fips_allowed = 1,
4722         .suite = {
4723             .drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
4724         }
4725     }, {
4726         .alg = "drbg_nopr_ctr_aes256",
4727         .test = alg_test_drbg,
4728         .fips_allowed = 1,
4729         .suite = {
4730             .drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
4731         }
4732     }, {
4733         /*
4734          * There is no need to specifically test the DRBG with every
4735          * backend cipher -- covered by drbg_nopr_hmac_sha256 test
4736          */
4737         .alg = "drbg_nopr_hmac_sha1",
4738         .fips_allowed = 1,
4739         .test = alg_test_null,
4740     }, {
4741         .alg = "drbg_nopr_hmac_sha256",
4742         .test = alg_test_drbg,
4743         .fips_allowed = 1,
4744         .suite = {
4745             .drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
4746         }
4747     }, {
4748         /* covered by drbg_nopr_hmac_sha256 test */
4749         .alg = "drbg_nopr_hmac_sha384",
4750         .fips_allowed = 1,
4751         .test = alg_test_null,
4752     }, {
4753         .alg = "drbg_nopr_hmac_sha512",
4754         .test = alg_test_drbg,
4755         .fips_allowed = 1,
4756         .suite = {
4757             .drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
4758         }
4759     }, {
4760         .alg = "drbg_nopr_sha1",
4761         .fips_allowed = 1,
4762         .test = alg_test_null,
4763     }, {
4764         .alg = "drbg_nopr_sha256",
4765         .test = alg_test_drbg,
4766         .fips_allowed = 1,
4767         .suite = {
4768             .drbg = __VECS(drbg_nopr_sha256_tv_template)
4769         }
4770     }, {
4771         /* covered by drbg_nopr_sha256 test */
4772         .alg = "drbg_nopr_sha384",
4773         .fips_allowed = 1,
4774         .test = alg_test_null,
4775     }, {
4776         .alg = "drbg_nopr_sha512",
4777         .fips_allowed = 1,
4778         .test = alg_test_null,
4779     }, {
4780         .alg = "drbg_pr_ctr_aes128",
4781         .test = alg_test_drbg,
4782         .fips_allowed = 1,
4783         .suite = {
4784             .drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
4785         }
4786     }, {
4787         /* covered by drbg_pr_ctr_aes128 test */
4788         .alg = "drbg_pr_ctr_aes192",
4789         .fips_allowed = 1,
4790         .test = alg_test_null,
4791     }, {
4792         .alg = "drbg_pr_ctr_aes256",
4793         .fips_allowed = 1,
4794         .test = alg_test_null,
4795     }, {
4796         .alg = "drbg_pr_hmac_sha1",
4797         .fips_allowed = 1,
4798         .test = alg_test_null,
4799     }, {
4800         .alg = "drbg_pr_hmac_sha256",
4801         .test = alg_test_drbg,
4802         .fips_allowed = 1,
4803         .suite = {
4804             .drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
4805         }
4806     }, {
4807         /* covered by drbg_pr_hmac_sha256 test */
4808         .alg = "drbg_pr_hmac_sha384",
4809         .fips_allowed = 1,
4810         .test = alg_test_null,
4811     }, {
4812         .alg = "drbg_pr_hmac_sha512",
4813         .test = alg_test_null,
4814         .fips_allowed = 1,
4815     }, {
4816         .alg = "drbg_pr_sha1",
4817         .fips_allowed = 1,
4818         .test = alg_test_null,
4819     }, {
4820         .alg = "drbg_pr_sha256",
4821         .test = alg_test_drbg,
4822         .fips_allowed = 1,
4823         .suite = {
4824             .drbg = __VECS(drbg_pr_sha256_tv_template)
4825         }
4826     }, {
4827         /* covered by drbg_pr_sha256 test */
4828         .alg = "drbg_pr_sha384",
4829         .fips_allowed = 1,
4830         .test = alg_test_null,
4831     }, {
4832         .alg = "drbg_pr_sha512",
4833         .fips_allowed = 1,
4834         .test = alg_test_null,
4835     }, {
4836         .alg = "ecb(aes)",
4837         .test = alg_test_skcipher,
4838         .fips_allowed = 1,
4839         .suite = {
4840             .cipher = __VECS(aes_tv_template)
4841         }
4842     }, {
4843         .alg = "ecb(anubis)",
4844         .test = alg_test_skcipher,
4845         .suite = {
4846             .cipher = __VECS(anubis_tv_template)
4847         }
4848     }, {
4849         .alg = "ecb(arc4)",
4850         .generic_driver = "ecb(arc4)-generic",
4851         .test = alg_test_skcipher,
4852         .suite = {
4853             .cipher = __VECS(arc4_tv_template)
4854         }
4855     }, {
4856         .alg = "ecb(aria)",
4857         .test = alg_test_skcipher,
4858         .suite = {
4859             .cipher = __VECS(aria_tv_template)
4860         }
4861     }, {
4862         .alg = "ecb(blowfish)",
4863         .test = alg_test_skcipher,
4864         .suite = {
4865             .cipher = __VECS(bf_tv_template)
4866         }
4867     }, {
4868         .alg = "ecb(camellia)",
4869         .test = alg_test_skcipher,
4870         .suite = {
4871             .cipher = __VECS(camellia_tv_template)
4872         }
4873     }, {
4874         .alg = "ecb(cast5)",
4875         .test = alg_test_skcipher,
4876         .suite = {
4877             .cipher = __VECS(cast5_tv_template)
4878         }
4879     }, {
4880         .alg = "ecb(cast6)",
4881         .test = alg_test_skcipher,
4882         .suite = {
4883             .cipher = __VECS(cast6_tv_template)
4884         }
4885     }, {
4886         .alg = "ecb(cipher_null)",
4887         .test = alg_test_null,
4888         .fips_allowed = 1,
4889     }, {
4890         .alg = "ecb(des)",
4891         .test = alg_test_skcipher,
4892         .suite = {
4893             .cipher = __VECS(des_tv_template)
4894         }
4895     }, {
4896         .alg = "ecb(des3_ede)",
4897         .test = alg_test_skcipher,
4898         .suite = {
4899             .cipher = __VECS(des3_ede_tv_template)
4900         }
4901     }, {
4902         .alg = "ecb(fcrypt)",
4903         .test = alg_test_skcipher,
4904         .suite = {
4905             .cipher = {
4906                 .vecs = fcrypt_pcbc_tv_template,
4907                 .count = 1
4908             }
4909         }
4910     }, {
4911         .alg = "ecb(khazad)",
4912         .test = alg_test_skcipher,
4913         .suite = {
4914             .cipher = __VECS(khazad_tv_template)
4915         }
4916     }, {
4917         /* Same as ecb(aes) except the key is stored in
4918          * hardware secure memory which we reference by index
4919          */
4920         .alg = "ecb(paes)",
4921         .test = alg_test_null,
4922         .fips_allowed = 1,
4923     }, {
4924         .alg = "ecb(seed)",
4925         .test = alg_test_skcipher,
4926         .suite = {
4927             .cipher = __VECS(seed_tv_template)
4928         }
4929     }, {
4930         .alg = "ecb(serpent)",
4931         .test = alg_test_skcipher,
4932         .suite = {
4933             .cipher = __VECS(serpent_tv_template)
4934         }
4935     }, {
4936         .alg = "ecb(sm4)",
4937         .test = alg_test_skcipher,
4938         .suite = {
4939             .cipher = __VECS(sm4_tv_template)
4940         }
4941     }, {
4942         .alg = "ecb(tea)",
4943         .test = alg_test_skcipher,
4944         .suite = {
4945             .cipher = __VECS(tea_tv_template)
4946         }
4947     }, {
4948         .alg = "ecb(twofish)",
4949         .test = alg_test_skcipher,
4950         .suite = {
4951             .cipher = __VECS(tf_tv_template)
4952         }
4953     }, {
4954         .alg = "ecb(xeta)",
4955         .test = alg_test_skcipher,
4956         .suite = {
4957             .cipher = __VECS(xeta_tv_template)
4958         }
4959     }, {
4960         .alg = "ecb(xtea)",
4961         .test = alg_test_skcipher,
4962         .suite = {
4963             .cipher = __VECS(xtea_tv_template)
4964         }
4965     }, {
4966 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4967         .alg = "ecb-paes-s390",
4968         .fips_allowed = 1,
4969         .test = alg_test_skcipher,
4970         .suite = {
4971             .cipher = __VECS(aes_tv_template)
4972         }
4973     }, {
4974 #endif
4975         .alg = "ecdh-nist-p192",
4976         .test = alg_test_kpp,
4977         .suite = {
4978             .kpp = __VECS(ecdh_p192_tv_template)
4979         }
4980     }, {
4981         .alg = "ecdh-nist-p256",
4982         .test = alg_test_kpp,
4983         .fips_allowed = 1,
4984         .suite = {
4985             .kpp = __VECS(ecdh_p256_tv_template)
4986         }
4987     }, {
4988         .alg = "ecdh-nist-p384",
4989         .test = alg_test_kpp,
4990         .fips_allowed = 1,
4991         .suite = {
4992             .kpp = __VECS(ecdh_p384_tv_template)
4993         }
4994     }, {
4995         .alg = "ecdsa-nist-p192",
4996         .test = alg_test_akcipher,
4997         .suite = {
4998             .akcipher = __VECS(ecdsa_nist_p192_tv_template)
4999         }
5000     }, {
5001         .alg = "ecdsa-nist-p256",
5002         .test = alg_test_akcipher,
5003         .suite = {
5004             .akcipher = __VECS(ecdsa_nist_p256_tv_template)
5005         }
5006     }, {
5007         .alg = "ecdsa-nist-p384",
5008         .test = alg_test_akcipher,
5009         .suite = {
5010             .akcipher = __VECS(ecdsa_nist_p384_tv_template)
5011         }
5012     }, {
5013         .alg = "ecrdsa",
5014         .test = alg_test_akcipher,
5015         .suite = {
5016             .akcipher = __VECS(ecrdsa_tv_template)
5017         }
5018     }, {
5019         .alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
5020         .test = alg_test_aead,
5021         .fips_allowed = 1,
5022         .suite = {
5023             .aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
5024         }
5025     }, {
5026         .alg = "essiv(cbc(aes),sha256)",
5027         .test = alg_test_skcipher,
5028         .fips_allowed = 1,
5029         .suite = {
5030             .cipher = __VECS(essiv_aes_cbc_tv_template)
5031         }
5032     }, {
5033 #if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
5034         .alg = "ffdhe2048(dh)",
5035         .test = alg_test_kpp,
5036         .fips_allowed = 1,
5037         .suite = {
5038             .kpp = __VECS(ffdhe2048_dh_tv_template)
5039         }
5040     }, {
5041         .alg = "ffdhe3072(dh)",
5042         .test = alg_test_kpp,
5043         .fips_allowed = 1,
5044         .suite = {
5045             .kpp = __VECS(ffdhe3072_dh_tv_template)
5046         }
5047     }, {
5048         .alg = "ffdhe4096(dh)",
5049         .test = alg_test_kpp,
5050         .fips_allowed = 1,
5051         .suite = {
5052             .kpp = __VECS(ffdhe4096_dh_tv_template)
5053         }
5054     }, {
5055         .alg = "ffdhe6144(dh)",
5056         .test = alg_test_kpp,
5057         .fips_allowed = 1,
5058         .suite = {
5059             .kpp = __VECS(ffdhe6144_dh_tv_template)
5060         }
5061     }, {
5062         .alg = "ffdhe8192(dh)",
5063         .test = alg_test_kpp,
5064         .fips_allowed = 1,
5065         .suite = {
5066             .kpp = __VECS(ffdhe8192_dh_tv_template)
5067         }
5068     }, {
5069 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
5070         .alg = "gcm(aes)",
5071         .generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
5072         .test = alg_test_aead,
5073         .fips_allowed = 1,
5074         .suite = {
5075             .aead = __VECS(aes_gcm_tv_template)
5076         }
5077     }, {
5078         .alg = "gcm(aria)",
5079         .generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)",
5080         .test = alg_test_aead,
5081         .suite = {
5082             .aead = __VECS(aria_gcm_tv_template)
5083         }
5084     }, {
5085         .alg = "gcm(sm4)",
5086         .generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)",
5087         .test = alg_test_aead,
5088         .suite = {
5089             .aead = __VECS(sm4_gcm_tv_template)
5090         }
5091     }, {
5092         .alg = "ghash",
5093         .test = alg_test_hash,
5094         .fips_allowed = 1,
5095         .suite = {
5096             .hash = __VECS(ghash_tv_template)
5097         }
5098     }, {
5099         .alg = "hctr2(aes)",
5100         .generic_driver =
5101             "hctr2_base(xctr(aes-generic),polyval-generic)",
5102         .test = alg_test_skcipher,
5103         .suite = {
5104             .cipher = __VECS(aes_hctr2_tv_template)
5105         }
5106     }, {
5107         .alg = "hmac(md5)",
5108         .test = alg_test_hash,
5109         .suite = {
5110             .hash = __VECS(hmac_md5_tv_template)
5111         }
5112     }, {
5113         .alg = "hmac(rmd160)",
5114         .test = alg_test_hash,
5115         .suite = {
5116             .hash = __VECS(hmac_rmd160_tv_template)
5117         }
5118     }, {
5119         .alg = "hmac(sha1)",
5120         .test = alg_test_hash,
5121         .fips_allowed = 1,
5122         .suite = {
5123             .hash = __VECS(hmac_sha1_tv_template)
5124         }
5125     }, {
5126         .alg = "hmac(sha224)",
5127         .test = alg_test_hash,
5128         .fips_allowed = 1,
5129         .suite = {
5130             .hash = __VECS(hmac_sha224_tv_template)
5131         }
5132     }, {
5133         .alg = "hmac(sha256)",
5134         .test = alg_test_hash,
5135         .fips_allowed = 1,
5136         .suite = {
5137             .hash = __VECS(hmac_sha256_tv_template)
5138         }
5139     }, {
5140         .alg = "hmac(sha3-224)",
5141         .test = alg_test_hash,
5142         .fips_allowed = 1,
5143         .suite = {
5144             .hash = __VECS(hmac_sha3_224_tv_template)
5145         }
5146     }, {
5147         .alg = "hmac(sha3-256)",
5148         .test = alg_test_hash,
5149         .fips_allowed = 1,
5150         .suite = {
5151             .hash = __VECS(hmac_sha3_256_tv_template)
5152         }
5153     }, {
5154         .alg = "hmac(sha3-384)",
5155         .test = alg_test_hash,
5156         .fips_allowed = 1,
5157         .suite = {
5158             .hash = __VECS(hmac_sha3_384_tv_template)
5159         }
5160     }, {
5161         .alg = "hmac(sha3-512)",
5162         .test = alg_test_hash,
5163         .fips_allowed = 1,
5164         .suite = {
5165             .hash = __VECS(hmac_sha3_512_tv_template)
5166         }
5167     }, {
5168         .alg = "hmac(sha384)",
5169         .test = alg_test_hash,
5170         .fips_allowed = 1,
5171         .suite = {
5172             .hash = __VECS(hmac_sha384_tv_template)
5173         }
5174     }, {
5175         .alg = "hmac(sha512)",
5176         .test = alg_test_hash,
5177         .fips_allowed = 1,
5178         .suite = {
5179             .hash = __VECS(hmac_sha512_tv_template)
5180         }
5181     }, {
5182         .alg = "hmac(sm3)",
5183         .test = alg_test_hash,
5184         .suite = {
5185             .hash = __VECS(hmac_sm3_tv_template)
5186         }
5187     }, {
5188         .alg = "hmac(streebog256)",
5189         .test = alg_test_hash,
5190         .suite = {
5191             .hash = __VECS(hmac_streebog256_tv_template)
5192         }
5193     }, {
5194         .alg = "hmac(streebog512)",
5195         .test = alg_test_hash,
5196         .suite = {
5197             .hash = __VECS(hmac_streebog512_tv_template)
5198         }
5199     }, {
5200         .alg = "jitterentropy_rng",
5201         .fips_allowed = 1,
5202         .test = alg_test_null,
5203     }, {
5204         .alg = "kw(aes)",
5205         .test = alg_test_skcipher,
5206         .fips_allowed = 1,
5207         .suite = {
5208             .cipher = __VECS(aes_kw_tv_template)
5209         }
5210     }, {
5211         .alg = "lrw(aes)",
5212         .generic_driver = "lrw(ecb(aes-generic))",
5213         .test = alg_test_skcipher,
5214         .suite = {
5215             .cipher = __VECS(aes_lrw_tv_template)
5216         }
5217     }, {
5218         .alg = "lrw(camellia)",
5219         .generic_driver = "lrw(ecb(camellia-generic))",
5220         .test = alg_test_skcipher,
5221         .suite = {
5222             .cipher = __VECS(camellia_lrw_tv_template)
5223         }
5224     }, {
5225         .alg = "lrw(cast6)",
5226         .generic_driver = "lrw(ecb(cast6-generic))",
5227         .test = alg_test_skcipher,
5228         .suite = {
5229             .cipher = __VECS(cast6_lrw_tv_template)
5230         }
5231     }, {
5232         .alg = "lrw(serpent)",
5233         .generic_driver = "lrw(ecb(serpent-generic))",
5234         .test = alg_test_skcipher,
5235         .suite = {
5236             .cipher = __VECS(serpent_lrw_tv_template)
5237         }
5238     }, {
5239         .alg = "lrw(twofish)",
5240         .generic_driver = "lrw(ecb(twofish-generic))",
5241         .test = alg_test_skcipher,
5242         .suite = {
5243             .cipher = __VECS(tf_lrw_tv_template)
5244         }
5245     }, {
5246         .alg = "lz4",
5247         .test = alg_test_comp,
5248         .fips_allowed = 1,
5249         .suite = {
5250             .comp = {
5251                 .comp = __VECS(lz4_comp_tv_template),
5252                 .decomp = __VECS(lz4_decomp_tv_template)
5253             }
5254         }
5255     }, {
5256         .alg = "lz4hc",
5257         .test = alg_test_comp,
5258         .fips_allowed = 1,
5259         .suite = {
5260             .comp = {
5261                 .comp = __VECS(lz4hc_comp_tv_template),
5262                 .decomp = __VECS(lz4hc_decomp_tv_template)
5263             }
5264         }
5265     }, {
5266         .alg = "lzo",
5267         .test = alg_test_comp,
5268         .fips_allowed = 1,
5269         .suite = {
5270             .comp = {
5271                 .comp = __VECS(lzo_comp_tv_template),
5272                 .decomp = __VECS(lzo_decomp_tv_template)
5273             }
5274         }
5275     }, {
5276         .alg = "lzo-rle",
5277         .test = alg_test_comp,
5278         .fips_allowed = 1,
5279         .suite = {
5280             .comp = {
5281                 .comp = __VECS(lzorle_comp_tv_template),
5282                 .decomp = __VECS(lzorle_decomp_tv_template)
5283             }
5284         }
5285     }, {
5286         .alg = "md4",
5287         .test = alg_test_hash,
5288         .suite = {
5289             .hash = __VECS(md4_tv_template)
5290         }
5291     }, {
5292         .alg = "md5",
5293         .test = alg_test_hash,
5294         .suite = {
5295             .hash = __VECS(md5_tv_template)
5296         }
5297     }, {
5298         .alg = "michael_mic",
5299         .test = alg_test_hash,
5300         .suite = {
5301             .hash = __VECS(michael_mic_tv_template)
5302         }
5303     }, {
5304         .alg = "nhpoly1305",
5305         .test = alg_test_hash,
5306         .suite = {
5307             .hash = __VECS(nhpoly1305_tv_template)
5308         }
5309     }, {
5310         .alg = "ofb(aes)",
5311         .test = alg_test_skcipher,
5312         .fips_allowed = 1,
5313         .suite = {
5314             .cipher = __VECS(aes_ofb_tv_template)
5315         }
5316     }, {
5317         /* Same as ofb(aes) except the key is stored in
5318          * hardware secure memory which we reference by index
5319          */
5320         .alg = "ofb(paes)",
5321         .test = alg_test_null,
5322         .fips_allowed = 1,
5323     }, {
5324         .alg = "ofb(sm4)",
5325         .test = alg_test_skcipher,
5326         .suite = {
5327             .cipher = __VECS(sm4_ofb_tv_template)
5328         }
5329     }, {
5330         .alg = "pcbc(fcrypt)",
5331         .test = alg_test_skcipher,
5332         .suite = {
5333             .cipher = __VECS(fcrypt_pcbc_tv_template)
5334         }
5335     }, {
5336         .alg = "pkcs1pad(rsa,sha224)",
5337         .test = alg_test_null,
5338         .fips_allowed = 1,
5339     }, {
5340         .alg = "pkcs1pad(rsa,sha256)",
5341         .test = alg_test_akcipher,
5342         .fips_allowed = 1,
5343         .suite = {
5344             .akcipher = __VECS(pkcs1pad_rsa_tv_template)
5345         }
5346     }, {
5347         .alg = "pkcs1pad(rsa,sha384)",
5348         .test = alg_test_null,
5349         .fips_allowed = 1,
5350     }, {
5351         .alg = "pkcs1pad(rsa,sha512)",
5352         .test = alg_test_null,
5353         .fips_allowed = 1,
5354     }, {
5355         .alg = "poly1305",
5356         .test = alg_test_hash,
5357         .suite = {
5358             .hash = __VECS(poly1305_tv_template)
5359         }
5360     }, {
5361         .alg = "polyval",
5362         .test = alg_test_hash,
5363         .suite = {
5364             .hash = __VECS(polyval_tv_template)
5365         }
5366     }, {
5367         .alg = "rfc3686(ctr(aes))",
5368         .test = alg_test_skcipher,
5369         .fips_allowed = 1,
5370         .suite = {
5371             .cipher = __VECS(aes_ctr_rfc3686_tv_template)
5372         }
5373     }, {
5374         .alg = "rfc3686(ctr(sm4))",
5375         .test = alg_test_skcipher,
5376         .suite = {
5377             .cipher = __VECS(sm4_ctr_rfc3686_tv_template)
5378         }
5379     }, {
5380         .alg = "rfc4106(gcm(aes))",
5381         .generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
5382         .test = alg_test_aead,
5383         .fips_allowed = 1,
5384         .suite = {
5385             .aead = {
5386                 ____VECS(aes_gcm_rfc4106_tv_template),
5387                 .einval_allowed = 1,
5388                 .aad_iv = 1,
5389             }
5390         }
5391     }, {
5392         .alg = "rfc4309(ccm(aes))",
5393         .generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
5394         .test = alg_test_aead,
5395         .fips_allowed = 1,
5396         .suite = {
5397             .aead = {
5398                 ____VECS(aes_ccm_rfc4309_tv_template),
5399                 .einval_allowed = 1,
5400                 .aad_iv = 1,
5401             }
5402         }
5403     }, {
5404         .alg = "rfc4543(gcm(aes))",
5405         .generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))",
5406         .test = alg_test_aead,
5407         .suite = {
5408             .aead = {
5409                 ____VECS(aes_gcm_rfc4543_tv_template),
5410                 .einval_allowed = 1,
5411                 .aad_iv = 1,
5412             }
5413         }
5414     }, {
5415         .alg = "rfc7539(chacha20,poly1305)",
5416         .test = alg_test_aead,
5417         .suite = {
5418             .aead = __VECS(rfc7539_tv_template)
5419         }
5420     }, {
5421         .alg = "rfc7539esp(chacha20,poly1305)",
5422         .test = alg_test_aead,
5423         .suite = {
5424             .aead = {
5425                 ____VECS(rfc7539esp_tv_template),
5426                 .einval_allowed = 1,
5427                 .aad_iv = 1,
5428             }
5429         }
5430     }, {
5431         .alg = "rmd160",
5432         .test = alg_test_hash,
5433         .suite = {
5434             .hash = __VECS(rmd160_tv_template)
5435         }
5436     }, {
5437         .alg = "rsa",
5438         .test = alg_test_akcipher,
5439         .fips_allowed = 1,
5440         .suite = {
5441             .akcipher = __VECS(rsa_tv_template)
5442         }
5443     }, {
5444         .alg = "sha1",
5445         .test = alg_test_hash,
5446         .fips_allowed = 1,
5447         .suite = {
5448             .hash = __VECS(sha1_tv_template)
5449         }
5450     }, {
5451         .alg = "sha224",
5452         .test = alg_test_hash,
5453         .fips_allowed = 1,
5454         .suite = {
5455             .hash = __VECS(sha224_tv_template)
5456         }
5457     }, {
5458         .alg = "sha256",
5459         .test = alg_test_hash,
5460         .fips_allowed = 1,
5461         .suite = {
5462             .hash = __VECS(sha256_tv_template)
5463         }
5464     }, {
5465         .alg = "sha3-224",
5466         .test = alg_test_hash,
5467         .fips_allowed = 1,
5468         .suite = {
5469             .hash = __VECS(sha3_224_tv_template)
5470         }
5471     }, {
5472         .alg = "sha3-256",
5473         .test = alg_test_hash,
5474         .fips_allowed = 1,
5475         .suite = {
5476             .hash = __VECS(sha3_256_tv_template)
5477         }
5478     }, {
5479         .alg = "sha3-384",
5480         .test = alg_test_hash,
5481         .fips_allowed = 1,
5482         .suite = {
5483             .hash = __VECS(sha3_384_tv_template)
5484         }
5485     }, {
5486         .alg = "sha3-512",
5487         .test = alg_test_hash,
5488         .fips_allowed = 1,
5489         .suite = {
5490             .hash = __VECS(sha3_512_tv_template)
5491         }
5492     }, {
5493         .alg = "sha384",
5494         .test = alg_test_hash,
5495         .fips_allowed = 1,
5496         .suite = {
5497             .hash = __VECS(sha384_tv_template)
5498         }
5499     }, {
5500         .alg = "sha512",
5501         .test = alg_test_hash,
5502         .fips_allowed = 1,
5503         .suite = {
5504             .hash = __VECS(sha512_tv_template)
5505         }
5506     }, {
5507         .alg = "sm2",
5508         .test = alg_test_akcipher,
5509         .suite = {
5510             .akcipher = __VECS(sm2_tv_template)
5511         }
5512     }, {
5513         .alg = "sm3",
5514         .test = alg_test_hash,
5515         .suite = {
5516             .hash = __VECS(sm3_tv_template)
5517         }
5518     }, {
5519         .alg = "streebog256",
5520         .test = alg_test_hash,
5521         .suite = {
5522             .hash = __VECS(streebog256_tv_template)
5523         }
5524     }, {
5525         .alg = "streebog512",
5526         .test = alg_test_hash,
5527         .suite = {
5528             .hash = __VECS(streebog512_tv_template)
5529         }
5530     }, {
5531         .alg = "vmac64(aes)",
5532         .test = alg_test_hash,
5533         .suite = {
5534             .hash = __VECS(vmac64_aes_tv_template)
5535         }
5536     }, {
5537         .alg = "wp256",
5538         .test = alg_test_hash,
5539         .suite = {
5540             .hash = __VECS(wp256_tv_template)
5541         }
5542     }, {
5543         .alg = "wp384",
5544         .test = alg_test_hash,
5545         .suite = {
5546             .hash = __VECS(wp384_tv_template)
5547         }
5548     }, {
5549         .alg = "wp512",
5550         .test = alg_test_hash,
5551         .suite = {
5552             .hash = __VECS(wp512_tv_template)
5553         }
5554     }, {
5555         .alg = "xcbc(aes)",
5556         .test = alg_test_hash,
5557         .suite = {
5558             .hash = __VECS(aes_xcbc128_tv_template)
5559         }
5560     }, {
5561         .alg = "xchacha12",
5562         .test = alg_test_skcipher,
5563         .suite = {
5564             .cipher = __VECS(xchacha12_tv_template)
5565         },
5566     }, {
5567         .alg = "xchacha20",
5568         .test = alg_test_skcipher,
5569         .suite = {
5570             .cipher = __VECS(xchacha20_tv_template)
5571         },
5572     }, {
5573         .alg = "xctr(aes)",
5574         .test = alg_test_skcipher,
5575         .suite = {
5576             .cipher = __VECS(aes_xctr_tv_template)
5577         }
5578     }, {
5579         .alg = "xts(aes)",
5580         .generic_driver = "xts(ecb(aes-generic))",
5581         .test = alg_test_skcipher,
5582         .fips_allowed = 1,
5583         .suite = {
5584             .cipher = __VECS(aes_xts_tv_template)
5585         }
5586     }, {
5587         .alg = "xts(camellia)",
5588         .generic_driver = "xts(ecb(camellia-generic))",
5589         .test = alg_test_skcipher,
5590         .suite = {
5591             .cipher = __VECS(camellia_xts_tv_template)
5592         }
5593     }, {
5594         .alg = "xts(cast6)",
5595         .generic_driver = "xts(ecb(cast6-generic))",
5596         .test = alg_test_skcipher,
5597         .suite = {
5598             .cipher = __VECS(cast6_xts_tv_template)
5599         }
5600     }, {
5601         /* Same as xts(aes) except the key is stored in
5602          * hardware secure memory which we reference by index
5603          */
5604         .alg = "xts(paes)",
5605         .test = alg_test_null,
5606         .fips_allowed = 1,
5607     }, {
5608         .alg = "xts(serpent)",
5609         .generic_driver = "xts(ecb(serpent-generic))",
5610         .test = alg_test_skcipher,
5611         .suite = {
5612             .cipher = __VECS(serpent_xts_tv_template)
5613         }
5614     }, {
5615         .alg = "xts(twofish)",
5616         .generic_driver = "xts(ecb(twofish-generic))",
5617         .test = alg_test_skcipher,
5618         .suite = {
5619             .cipher = __VECS(tf_xts_tv_template)
5620         }
5621     }, {
5622 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5623         .alg = "xts-paes-s390",
5624         .fips_allowed = 1,
5625         .test = alg_test_skcipher,
5626         .suite = {
5627             .cipher = __VECS(aes_xts_tv_template)
5628         }
5629     }, {
5630 #endif
5631         .alg = "xts4096(paes)",
5632         .test = alg_test_null,
5633         .fips_allowed = 1,
5634     }, {
5635         .alg = "xts512(paes)",
5636         .test = alg_test_null,
5637         .fips_allowed = 1,
5638     }, {
5639         .alg = "xxhash64",
5640         .test = alg_test_hash,
5641         .fips_allowed = 1,
5642         .suite = {
5643             .hash = __VECS(xxhash64_tv_template)
5644         }
5645     }, {
5646         .alg = "zlib-deflate",
5647         .test = alg_test_comp,
5648         .fips_allowed = 1,
5649         .suite = {
5650             .comp = {
5651                 .comp = __VECS(zlib_deflate_comp_tv_template),
5652                 .decomp = __VECS(zlib_deflate_decomp_tv_template)
5653             }
5654         }
5655     }, {
5656         .alg = "zstd",
5657         .test = alg_test_comp,
5658         .fips_allowed = 1,
5659         .suite = {
5660             .comp = {
5661                 .comp = __VECS(zstd_comp_tv_template),
5662                 .decomp = __VECS(zstd_decomp_tv_template)
5663             }
5664         }
5665     }
5666 };
5667
5668 static void alg_check_test_descs_order(void)
5669 {
5670     int i;
5671
5672     for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) {
5673         int diff = strcmp(alg_test_descs[i - 1].alg,
5674                   alg_test_descs[i].alg);
5675
5676         if (WARN_ON(diff > 0)) {
5677             pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n",
5678                 alg_test_descs[i - 1].alg,
5679                 alg_test_descs[i].alg);
5680         }
5681
5682         if (WARN_ON(diff == 0)) {
5683             pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n",
5684                 alg_test_descs[i].alg);
5685         }
5686     }
5687 }
5688
5689 static void alg_check_testvec_configs(void)
5690 {
5691     int i;
5692
5693     for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++)
5694         WARN_ON(!valid_testvec_config(
5695                 &default_cipher_testvec_configs[i]));
5696
5697     for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++)
5698         WARN_ON(!valid_testvec_config(
5699                 &default_hash_testvec_configs[i]));
5700 }
5701
5702 static void testmgr_onetime_init(void)
5703 {
5704     alg_check_test_descs_order();
5705     alg_check_testvec_configs();
5706
5707 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
5708     pr_warn("alg: extra crypto tests enabled.  This is intended for developer use only.\n");
5709 #endif
5710 }
5711
5712 static int alg_find_test(const char *alg)
5713 {
5714     int start = 0;
5715     int end = ARRAY_SIZE(alg_test_descs);
5716
5717     while (start < end) {
5718         int i = (start + end) / 2;
5719         int diff = strcmp(alg_test_descs[i].alg, alg);
5720
5721         if (diff > 0) {
5722             end = i;
5723             continue;
5724         }
5725
5726         if (diff < 0) {
5727             start = i + 1;
5728             continue;
5729         }
5730
5731         return i;
5732     }
5733
5734     return -1;
5735 }
5736
5737 static int alg_fips_disabled(const char *driver, const char *alg)
5738 {
5739     pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);
5740
5741     return -ECANCELED;
5742 }
5743
5744 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
5745 {
5746     int i;
5747     int j;
5748     int rc;
5749
5750     if (!fips_enabled && notests) {
5751         printk_once(KERN_INFO "alg: self-tests disabled\n");
5752         return 0;
5753     }
5754
5755     DO_ONCE(testmgr_onetime_init);
5756
5757     if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
5758         char nalg[CRYPTO_MAX_ALG_NAME];
5759
5760         if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
5761             sizeof(nalg))
5762             return -ENAMETOOLONG;
5763
5764         i = alg_find_test(nalg);
5765         if (i < 0)
5766             goto notest;
5767
5768         if (fips_enabled && !alg_test_descs[i].fips_allowed)
5769             goto non_fips_alg;
5770
5771         rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
5772         goto test_done;
5773     }
5774
5775     i = alg_find_test(alg);
5776     j = alg_find_test(driver);
5777     if (i < 0 && j < 0)
5778         goto notest;
5779
5780     if (fips_enabled) {
5781         if (j >= 0 && !alg_test_descs[j].fips_allowed)
5782             return -EINVAL;
5783
5784         if (i >= 0 && !alg_test_descs[i].fips_allowed)
5785             goto non_fips_alg;
5786     }
5787
5788     rc = 0;
5789     if (i >= 0)
5790         rc |= alg_test_descs[i].test(alg_test_descs + i, driver,
5791                          type, mask);
5792     if (j >= 0 && j != i)
5793         rc |= alg_test_descs[j].test(alg_test_descs + j, driver,
5794                          type, mask);
5795
5796 test_done:
5797     if (rc) {
5798         if (fips_enabled || panic_on_fail) {
5799             fips_fail_notify();
5800             panic("alg: self-tests for %s (%s) failed in %s mode!\n",
5801                   driver, alg,
5802                   fips_enabled ? "fips" : "panic_on_fail");
5803         }
5804         WARN(1, "alg: self-tests for %s (%s) failed (rc=%d)",
5805              driver, alg, rc);
5806     } else {
5807         if (fips_enabled)
5808             pr_info("alg: self-tests for %s (%s) passed\n",
5809                 driver, alg);
5810     }
5811
5812     return rc;
5813
5814 notest:
5815     printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
5816
5817     if (type & CRYPTO_ALG_FIPS_INTERNAL)
5818         return alg_fips_disabled(driver, alg);
5819
5820     return 0;
5821 non_fips_alg:
5822     return alg_fips_disabled(driver, alg);
5823 }
5824
5825 #endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
5826
5827 EXPORT_SYMBOL_GPL(alg_test);