1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* |
3 | * Algorithm testing framework and tests. |
4 | * |
5 | * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> |
6 | * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org> |
7 | * Copyright (c) 2007 Nokia Siemens Networks |
8 | * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au> |
9 | * Copyright (c) 2019 Google LLC |
10 | * |
11 | * Updated RFC4106 AES-GCM testing. |
12 | * Authors: Aidan O'Mahony (aidan.o.mahony@intel.com) |
13 | * Adrian Hoban <adrian.hoban@intel.com> |
14 | * Gabriele Paoloni <gabriele.paoloni@intel.com> |
15 | * Tadeusz Struk (tadeusz.struk@intel.com) |
16 | * Copyright (c) 2010, Intel Corporation. |
17 | */ |
18 | |
19 | #include <crypto/aead.h> |
20 | #include <crypto/hash.h> |
21 | #include <crypto/skcipher.h> |
22 | #include <linux/err.h> |
23 | #include <linux/fips.h> |
24 | #include <linux/module.h> |
25 | #include <linux/once.h> |
26 | #include <linux/random.h> |
27 | #include <linux/scatterlist.h> |
28 | #include <linux/slab.h> |
29 | #include <linux/string.h> |
30 | #include <linux/uio.h> |
31 | #include <crypto/rng.h> |
32 | #include <crypto/drbg.h> |
33 | #include <crypto/akcipher.h> |
34 | #include <crypto/kpp.h> |
35 | #include <crypto/acompress.h> |
36 | #include <crypto/internal/cipher.h> |
37 | #include <crypto/internal/simd.h> |
38 | |
39 | #include "internal.h" |
40 | |
41 | MODULE_IMPORT_NS(CRYPTO_INTERNAL); |
42 | |
43 | static bool notests; |
44 | module_param(notests, bool, 0644); |
45 | MODULE_PARM_DESC(notests, "disable crypto self-tests" ); |
46 | |
47 | static bool panic_on_fail; |
48 | module_param(panic_on_fail, bool, 0444); |
49 | |
50 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
51 | static bool noextratests; |
52 | module_param(noextratests, bool, 0644); |
53 | MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests" ); |
54 | |
55 | static unsigned int fuzz_iterations = 100; |
56 | module_param(fuzz_iterations, uint, 0644); |
57 | MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations" ); |
58 | #endif |
59 | |
60 | #ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS |
61 | |
62 | /* a perfect nop */ |
63 | int alg_test(const char *driver, const char *alg, u32 type, u32 mask) |
64 | { |
65 | return 0; |
66 | } |
67 | |
68 | #else |
69 | |
70 | #include "testmgr.h" |
71 | |
72 | /* |
73 | * Need slab memory for testing (size in number of pages). |
74 | */ |
75 | #define XBUFSIZE 8 |
76 | |
77 | /* |
78 | * Used by test_cipher() |
79 | */ |
80 | #define ENCRYPT 1 |
81 | #define DECRYPT 0 |
82 | |
83 | struct aead_test_suite { |
84 | const struct aead_testvec *vecs; |
85 | unsigned int count; |
86 | |
87 | /* |
88 | * Set if trying to decrypt an inauthentic ciphertext with this |
89 | * algorithm might result in EINVAL rather than EBADMSG, due to other |
90 | * validation the algorithm does on the inputs such as length checks. |
91 | */ |
92 | unsigned int einval_allowed : 1; |
93 | |
94 | /* |
95 | * Set if this algorithm requires that the IV be located at the end of |
96 | * the AAD buffer, in addition to being given in the normal way. The |
97 | * behavior when the two IV copies differ is implementation-defined. |
98 | */ |
99 | unsigned int aad_iv : 1; |
100 | }; |
101 | |
102 | struct cipher_test_suite { |
103 | const struct cipher_testvec *vecs; |
104 | unsigned int count; |
105 | }; |
106 | |
107 | struct comp_test_suite { |
108 | struct { |
109 | const struct comp_testvec *vecs; |
110 | unsigned int count; |
111 | } comp, decomp; |
112 | }; |
113 | |
114 | struct hash_test_suite { |
115 | const struct hash_testvec *vecs; |
116 | unsigned int count; |
117 | }; |
118 | |
119 | struct cprng_test_suite { |
120 | const struct cprng_testvec *vecs; |
121 | unsigned int count; |
122 | }; |
123 | |
124 | struct drbg_test_suite { |
125 | const struct drbg_testvec *vecs; |
126 | unsigned int count; |
127 | }; |
128 | |
129 | struct akcipher_test_suite { |
130 | const struct akcipher_testvec *vecs; |
131 | unsigned int count; |
132 | }; |
133 | |
134 | struct kpp_test_suite { |
135 | const struct kpp_testvec *vecs; |
136 | unsigned int count; |
137 | }; |
138 | |
139 | struct alg_test_desc { |
140 | const char *alg; |
141 | const char *generic_driver; |
142 | int (*test)(const struct alg_test_desc *desc, const char *driver, |
143 | u32 type, u32 mask); |
144 | int fips_allowed; /* set if alg is allowed in fips mode */ |
145 | |
146 | union { |
147 | struct aead_test_suite aead; |
148 | struct cipher_test_suite cipher; |
149 | struct comp_test_suite comp; |
150 | struct hash_test_suite hash; |
151 | struct cprng_test_suite cprng; |
152 | struct drbg_test_suite drbg; |
153 | struct akcipher_test_suite akcipher; |
154 | struct kpp_test_suite kpp; |
155 | } suite; |
156 | }; |
157 | |
158 | static void hexdump(unsigned char *buf, unsigned int len) |
159 | { |
160 | print_hex_dump(KERN_CONT, "" , DUMP_PREFIX_OFFSET, |
161 | 16, 1, |
162 | buf, len, false); |
163 | } |
164 | |
165 | static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order) |
166 | { |
167 | int i; |
168 | |
169 | for (i = 0; i < XBUFSIZE; i++) { |
170 | buf[i] = (char *)__get_free_pages(GFP_KERNEL, order); |
171 | if (!buf[i]) |
172 | goto err_free_buf; |
173 | } |
174 | |
175 | return 0; |
176 | |
177 | err_free_buf: |
178 | while (i-- > 0) |
179 | free_pages((unsigned long)buf[i], order); |
180 | |
181 | return -ENOMEM; |
182 | } |
183 | |
184 | static int testmgr_alloc_buf(char *buf[XBUFSIZE]) |
185 | { |
186 | return __testmgr_alloc_buf(buf, 0); |
187 | } |
188 | |
189 | static void __testmgr_free_buf(char *buf[XBUFSIZE], int order) |
190 | { |
191 | int i; |
192 | |
193 | for (i = 0; i < XBUFSIZE; i++) |
194 | free_pages((unsigned long)buf[i], order); |
195 | } |
196 | |
197 | static void testmgr_free_buf(char *buf[XBUFSIZE]) |
198 | { |
199 | __testmgr_free_buf(buf, 0); |
200 | } |
201 | |
202 | #define TESTMGR_POISON_BYTE 0xfe |
203 | #define TESTMGR_POISON_LEN 16 |
204 | |
205 | static inline void testmgr_poison(void *addr, size_t len) |
206 | { |
207 | memset(addr, TESTMGR_POISON_BYTE, len); |
208 | } |
209 | |
210 | /* Is the memory region still fully poisoned? */ |
211 | static inline bool testmgr_is_poison(const void *addr, size_t len) |
212 | { |
213 | return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL; |
214 | } |
215 | |
216 | /* flush type for hash algorithms */ |
217 | enum flush_type { |
218 | /* merge with update of previous buffer(s) */ |
219 | FLUSH_TYPE_NONE = 0, |
220 | |
221 | /* update with previous buffer(s) before doing this one */ |
222 | FLUSH_TYPE_FLUSH, |
223 | |
224 | /* likewise, but also export and re-import the intermediate state */ |
225 | FLUSH_TYPE_REIMPORT, |
226 | }; |
227 | |
228 | /* finalization function for hash algorithms */ |
229 | enum finalization_type { |
230 | FINALIZATION_TYPE_FINAL, /* use final() */ |
231 | FINALIZATION_TYPE_FINUP, /* use finup() */ |
232 | FINALIZATION_TYPE_DIGEST, /* use digest() */ |
233 | }; |
234 | |
235 | /* |
236 | * Whether the crypto operation will occur in-place, and if so whether the |
237 | * source and destination scatterlist pointers will coincide (req->src == |
238 | * req->dst), or whether they'll merely point to two separate scatterlists |
239 | * (req->src != req->dst) that reference the same underlying memory. |
240 | * |
241 | * This is only relevant for algorithm types that support in-place operation. |
242 | */ |
243 | enum inplace_mode { |
244 | OUT_OF_PLACE, |
245 | INPLACE_ONE_SGLIST, |
246 | INPLACE_TWO_SGLISTS, |
247 | }; |
248 | |
249 | #define TEST_SG_TOTAL 10000 |
250 | |
251 | /** |
252 | * struct test_sg_division - description of a scatterlist entry |
253 | * |
254 | * This struct describes one entry of a scatterlist being constructed to check a |
255 | * crypto test vector. |
256 | * |
257 | * @proportion_of_total: length of this chunk relative to the total length, |
258 | * given as a proportion out of TEST_SG_TOTAL so that it |
259 | * scales to fit any test vector |
260 | * @offset: byte offset into a 2-page buffer at which this chunk will start |
261 | * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the |
262 | * @offset |
263 | * @flush_type: for hashes, whether an update() should be done now vs. |
264 | * continuing to accumulate data |
265 | * @nosimd: if doing the pending update(), do it with SIMD disabled? |
266 | */ |
267 | struct test_sg_division { |
268 | unsigned int proportion_of_total; |
269 | unsigned int offset; |
270 | bool offset_relative_to_alignmask; |
271 | enum flush_type flush_type; |
272 | bool nosimd; |
273 | }; |
274 | |
275 | /** |
276 | * struct testvec_config - configuration for testing a crypto test vector |
277 | * |
278 | * This struct describes the data layout and other parameters with which each |
279 | * crypto test vector can be tested. |
280 | * |
281 | * @name: name of this config, logged for debugging purposes if a test fails |
282 | * @inplace_mode: whether and how to operate on the data in-place, if applicable |
283 | * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP |
284 | * @src_divs: description of how to arrange the source scatterlist |
285 | * @dst_divs: description of how to arrange the dst scatterlist, if applicable |
286 | * for the algorithm type. Defaults to @src_divs if unset. |
287 | * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1], |
288 | * where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary |
289 | * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to |
290 | * the @iv_offset |
291 | * @key_offset: misalignment of the key, where 0 is default alignment |
292 | * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to |
293 | * the @key_offset |
294 | * @finalization_type: what finalization function to use for hashes |
295 | * @nosimd: execute with SIMD disabled? Requires !CRYPTO_TFM_REQ_MAY_SLEEP. |
296 | */ |
297 | struct testvec_config { |
298 | const char *name; |
299 | enum inplace_mode inplace_mode; |
300 | u32 req_flags; |
301 | struct test_sg_division src_divs[XBUFSIZE]; |
302 | struct test_sg_division dst_divs[XBUFSIZE]; |
303 | unsigned int iv_offset; |
304 | unsigned int key_offset; |
305 | bool iv_offset_relative_to_alignmask; |
306 | bool key_offset_relative_to_alignmask; |
307 | enum finalization_type finalization_type; |
308 | bool nosimd; |
309 | }; |
310 | |
311 | #define TESTVEC_CONFIG_NAMELEN 192 |
312 | |
313 | /* |
314 | * The following are the lists of testvec_configs to test for each algorithm |
315 | * type when the basic crypto self-tests are enabled, i.e. when |
316 | * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset. They aim to provide good test |
317 | * coverage, while keeping the test time much shorter than the full fuzz tests |
318 | * so that the basic tests can be enabled in a wider range of circumstances. |
319 | */ |
320 | |
321 | /* Configs for skciphers and aeads */ |
322 | static const struct testvec_config default_cipher_testvec_configs[] = { |
323 | { |
324 | .name = "in-place (one sglist)" , |
325 | .inplace_mode = INPLACE_ONE_SGLIST, |
326 | .src_divs = { { .proportion_of_total = 10000 } }, |
327 | }, { |
328 | .name = "in-place (two sglists)" , |
329 | .inplace_mode = INPLACE_TWO_SGLISTS, |
330 | .src_divs = { { .proportion_of_total = 10000 } }, |
331 | }, { |
332 | .name = "out-of-place" , |
333 | .inplace_mode = OUT_OF_PLACE, |
334 | .src_divs = { { .proportion_of_total = 10000 } }, |
335 | }, { |
336 | .name = "unaligned buffer, offset=1" , |
337 | .src_divs = { { .proportion_of_total = 10000, .offset = 1 } }, |
338 | .iv_offset = 1, |
339 | .key_offset = 1, |
340 | }, { |
341 | .name = "buffer aligned only to alignmask" , |
342 | .src_divs = { |
343 | { |
344 | .proportion_of_total = 10000, |
345 | .offset = 1, |
346 | .offset_relative_to_alignmask = true, |
347 | }, |
348 | }, |
349 | .iv_offset = 1, |
350 | .iv_offset_relative_to_alignmask = true, |
351 | .key_offset = 1, |
352 | .key_offset_relative_to_alignmask = true, |
353 | }, { |
354 | .name = "two even aligned splits" , |
355 | .src_divs = { |
356 | { .proportion_of_total = 5000 }, |
357 | { .proportion_of_total = 5000 }, |
358 | }, |
359 | }, { |
360 | .name = "one src, two even splits dst" , |
361 | .inplace_mode = OUT_OF_PLACE, |
362 | .src_divs = { { .proportion_of_total = 10000 } }, |
363 | .dst_divs = { |
364 | { .proportion_of_total = 5000 }, |
365 | { .proportion_of_total = 5000 }, |
366 | }, |
367 | }, { |
368 | .name = "uneven misaligned splits, may sleep" , |
369 | .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP, |
370 | .src_divs = { |
371 | { .proportion_of_total = 1900, .offset = 33 }, |
372 | { .proportion_of_total = 3300, .offset = 7 }, |
373 | { .proportion_of_total = 4800, .offset = 18 }, |
374 | }, |
375 | .iv_offset = 3, |
376 | .key_offset = 3, |
377 | }, { |
378 | .name = "misaligned splits crossing pages, inplace" , |
379 | .inplace_mode = INPLACE_ONE_SGLIST, |
380 | .src_divs = { |
381 | { |
382 | .proportion_of_total = 7500, |
383 | .offset = PAGE_SIZE - 32 |
384 | }, { |
385 | .proportion_of_total = 2500, |
386 | .offset = PAGE_SIZE - 7 |
387 | }, |
388 | }, |
389 | } |
390 | }; |
391 | |
392 | static const struct testvec_config default_hash_testvec_configs[] = { |
393 | { |
394 | .name = "init+update+final aligned buffer" , |
395 | .src_divs = { { .proportion_of_total = 10000 } }, |
396 | .finalization_type = FINALIZATION_TYPE_FINAL, |
397 | }, { |
398 | .name = "init+finup aligned buffer" , |
399 | .src_divs = { { .proportion_of_total = 10000 } }, |
400 | .finalization_type = FINALIZATION_TYPE_FINUP, |
401 | }, { |
402 | .name = "digest aligned buffer" , |
403 | .src_divs = { { .proportion_of_total = 10000 } }, |
404 | .finalization_type = FINALIZATION_TYPE_DIGEST, |
405 | }, { |
406 | .name = "init+update+final misaligned buffer" , |
407 | .src_divs = { { .proportion_of_total = 10000, .offset = 1 } }, |
408 | .finalization_type = FINALIZATION_TYPE_FINAL, |
409 | .key_offset = 1, |
410 | }, { |
411 | .name = "digest misaligned buffer" , |
412 | .src_divs = { |
413 | { |
414 | .proportion_of_total = 10000, |
415 | .offset = 1, |
416 | }, |
417 | }, |
418 | .finalization_type = FINALIZATION_TYPE_DIGEST, |
419 | .key_offset = 1, |
420 | }, { |
421 | .name = "init+update+update+final two even splits" , |
422 | .src_divs = { |
423 | { .proportion_of_total = 5000 }, |
424 | { |
425 | .proportion_of_total = 5000, |
426 | .flush_type = FLUSH_TYPE_FLUSH, |
427 | }, |
428 | }, |
429 | .finalization_type = FINALIZATION_TYPE_FINAL, |
430 | }, { |
431 | .name = "digest uneven misaligned splits, may sleep" , |
432 | .req_flags = CRYPTO_TFM_REQ_MAY_SLEEP, |
433 | .src_divs = { |
434 | { .proportion_of_total = 1900, .offset = 33 }, |
435 | { .proportion_of_total = 3300, .offset = 7 }, |
436 | { .proportion_of_total = 4800, .offset = 18 }, |
437 | }, |
438 | .finalization_type = FINALIZATION_TYPE_DIGEST, |
439 | }, { |
440 | .name = "digest misaligned splits crossing pages" , |
441 | .src_divs = { |
442 | { |
443 | .proportion_of_total = 7500, |
444 | .offset = PAGE_SIZE - 32, |
445 | }, { |
446 | .proportion_of_total = 2500, |
447 | .offset = PAGE_SIZE - 7, |
448 | }, |
449 | }, |
450 | .finalization_type = FINALIZATION_TYPE_DIGEST, |
451 | }, { |
452 | .name = "import/export" , |
453 | .src_divs = { |
454 | { |
455 | .proportion_of_total = 6500, |
456 | .flush_type = FLUSH_TYPE_REIMPORT, |
457 | }, { |
458 | .proportion_of_total = 3500, |
459 | .flush_type = FLUSH_TYPE_REIMPORT, |
460 | }, |
461 | }, |
462 | .finalization_type = FINALIZATION_TYPE_FINAL, |
463 | } |
464 | }; |
465 | |
466 | static unsigned int count_test_sg_divisions(const struct test_sg_division *divs) |
467 | { |
468 | unsigned int remaining = TEST_SG_TOTAL; |
469 | unsigned int ndivs = 0; |
470 | |
471 | do { |
472 | remaining -= divs[ndivs++].proportion_of_total; |
473 | } while (remaining); |
474 | |
475 | return ndivs; |
476 | } |
477 | |
478 | #define SGDIVS_HAVE_FLUSHES BIT(0) |
479 | #define SGDIVS_HAVE_NOSIMD BIT(1) |
480 | |
481 | static bool valid_sg_divisions(const struct test_sg_division *divs, |
482 | unsigned int count, int *flags_ret) |
483 | { |
484 | unsigned int total = 0; |
485 | unsigned int i; |
486 | |
487 | for (i = 0; i < count && total != TEST_SG_TOTAL; i++) { |
488 | if (divs[i].proportion_of_total <= 0 || |
489 | divs[i].proportion_of_total > TEST_SG_TOTAL - total) |
490 | return false; |
491 | total += divs[i].proportion_of_total; |
492 | if (divs[i].flush_type != FLUSH_TYPE_NONE) |
493 | *flags_ret |= SGDIVS_HAVE_FLUSHES; |
494 | if (divs[i].nosimd) |
495 | *flags_ret |= SGDIVS_HAVE_NOSIMD; |
496 | } |
497 | return total == TEST_SG_TOTAL && |
498 | memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL; |
499 | } |
500 | |
501 | /* |
502 | * Check whether the given testvec_config is valid. This isn't strictly needed |
503 | * since every testvec_config should be valid, but check anyway so that people |
504 | * don't unknowingly add broken configs that don't do what they wanted. |
505 | */ |
506 | static bool valid_testvec_config(const struct testvec_config *cfg) |
507 | { |
508 | int flags = 0; |
509 | |
510 | if (cfg->name == NULL) |
511 | return false; |
512 | |
513 | if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs), |
514 | &flags)) |
515 | return false; |
516 | |
517 | if (cfg->dst_divs[0].proportion_of_total) { |
518 | if (!valid_sg_divisions(cfg->dst_divs, |
519 | ARRAY_SIZE(cfg->dst_divs), &flags)) |
520 | return false; |
521 | } else { |
522 | if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs))) |
523 | return false; |
524 | /* defaults to dst_divs=src_divs */ |
525 | } |
526 | |
527 | if (cfg->iv_offset + |
528 | (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) > |
529 | MAX_ALGAPI_ALIGNMASK + 1) |
530 | return false; |
531 | |
532 | if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) && |
533 | cfg->finalization_type == FINALIZATION_TYPE_DIGEST) |
534 | return false; |
535 | |
536 | if ((cfg->nosimd || (flags & SGDIVS_HAVE_NOSIMD)) && |
537 | (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP)) |
538 | return false; |
539 | |
540 | return true; |
541 | } |
542 | |
543 | struct test_sglist { |
544 | char *bufs[XBUFSIZE]; |
545 | struct scatterlist sgl[XBUFSIZE]; |
546 | struct scatterlist sgl_saved[XBUFSIZE]; |
547 | struct scatterlist *sgl_ptr; |
548 | unsigned int nents; |
549 | }; |
550 | |
551 | static int init_test_sglist(struct test_sglist *tsgl) |
552 | { |
553 | return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */); |
554 | } |
555 | |
556 | static void destroy_test_sglist(struct test_sglist *tsgl) |
557 | { |
558 | return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */); |
559 | } |
560 | |
561 | /** |
562 | * build_test_sglist() - build a scatterlist for a crypto test |
563 | * |
564 | * @tsgl: the scatterlist to build. @tsgl->bufs[] contains an array of 2-page |
565 | * buffers which the scatterlist @tsgl->sgl[] will be made to point into. |
566 | * @divs: the layout specification on which the scatterlist will be based |
567 | * @alignmask: the algorithm's alignmask |
568 | * @total_len: the total length of the scatterlist to build in bytes |
569 | * @data: if non-NULL, the buffers will be filled with this data until it ends. |
570 | * Otherwise the buffers will be poisoned. In both cases, some bytes |
571 | * past the end of each buffer will be poisoned to help detect overruns. |
572 | * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry |
573 | * corresponds will be returned here. This will match @divs except |
574 | * that divisions resolving to a length of 0 are omitted as they are |
575 | * not included in the scatterlist. |
576 | * |
577 | * Return: 0 or a -errno value |
578 | */ |
579 | static int build_test_sglist(struct test_sglist *tsgl, |
580 | const struct test_sg_division *divs, |
581 | const unsigned int alignmask, |
582 | const unsigned int total_len, |
583 | struct iov_iter *data, |
584 | const struct test_sg_division *out_divs[XBUFSIZE]) |
585 | { |
586 | struct { |
587 | const struct test_sg_division *div; |
588 | size_t length; |
589 | } partitions[XBUFSIZE]; |
590 | const unsigned int ndivs = count_test_sg_divisions(divs); |
591 | unsigned int len_remaining = total_len; |
592 | unsigned int i; |
593 | |
594 | BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl)); |
595 | if (WARN_ON(ndivs > ARRAY_SIZE(partitions))) |
596 | return -EINVAL; |
597 | |
598 | /* Calculate the (div, length) pairs */ |
599 | tsgl->nents = 0; |
600 | for (i = 0; i < ndivs; i++) { |
601 | unsigned int len_this_sg = |
602 | min(len_remaining, |
603 | (total_len * divs[i].proportion_of_total + |
604 | TEST_SG_TOTAL / 2) / TEST_SG_TOTAL); |
605 | |
606 | if (len_this_sg != 0) { |
607 | partitions[tsgl->nents].div = &divs[i]; |
608 | partitions[tsgl->nents].length = len_this_sg; |
609 | tsgl->nents++; |
610 | len_remaining -= len_this_sg; |
611 | } |
612 | } |
613 | if (tsgl->nents == 0) { |
614 | partitions[tsgl->nents].div = &divs[0]; |
615 | partitions[tsgl->nents].length = 0; |
616 | tsgl->nents++; |
617 | } |
618 | partitions[tsgl->nents - 1].length += len_remaining; |
619 | |
620 | /* Set up the sgl entries and fill the data or poison */ |
621 | sg_init_table(tsgl->sgl, tsgl->nents); |
622 | for (i = 0; i < tsgl->nents; i++) { |
623 | unsigned int offset = partitions[i].div->offset; |
624 | void *addr; |
625 | |
626 | if (partitions[i].div->offset_relative_to_alignmask) |
627 | offset += alignmask; |
628 | |
629 | while (offset + partitions[i].length + TESTMGR_POISON_LEN > |
630 | 2 * PAGE_SIZE) { |
631 | if (WARN_ON(offset <= 0)) |
632 | return -EINVAL; |
633 | offset /= 2; |
634 | } |
635 | |
636 | addr = &tsgl->bufs[i][offset]; |
637 | sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length); |
638 | |
639 | if (out_divs) |
640 | out_divs[i] = partitions[i].div; |
641 | |
642 | if (data) { |
643 | size_t copy_len, copied; |
644 | |
645 | copy_len = min(partitions[i].length, data->count); |
646 | copied = copy_from_iter(addr, copy_len, data); |
647 | if (WARN_ON(copied != copy_len)) |
648 | return -EINVAL; |
649 | testmgr_poison(addr + copy_len, partitions[i].length + |
650 | TESTMGR_POISON_LEN - copy_len); |
651 | } else { |
652 | testmgr_poison(addr, partitions[i].length + |
653 | TESTMGR_POISON_LEN); |
654 | } |
655 | } |
656 | |
657 | sg_mark_end(&tsgl->sgl[tsgl->nents - 1]); |
658 | tsgl->sgl_ptr = tsgl->sgl; |
659 | memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0])); |
660 | return 0; |
661 | } |
662 | |
663 | /* |
664 | * Verify that a scatterlist crypto operation produced the correct output. |
665 | * |
666 | * @tsgl: scatterlist containing the actual output |
667 | * @expected_output: buffer containing the expected output |
668 | * @len_to_check: length of @expected_output in bytes |
669 | * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result |
670 | * @check_poison: verify that the poison bytes after each chunk are intact? |
671 | * |
672 | * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun. |
673 | */ |
674 | static int verify_correct_output(const struct test_sglist *tsgl, |
675 | const char *expected_output, |
676 | unsigned int len_to_check, |
677 | unsigned int unchecked_prefix_len, |
678 | bool check_poison) |
679 | { |
680 | unsigned int i; |
681 | |
682 | for (i = 0; i < tsgl->nents; i++) { |
683 | struct scatterlist *sg = &tsgl->sgl_ptr[i]; |
684 | unsigned int len = sg->length; |
685 | unsigned int offset = sg->offset; |
686 | const char *actual_output; |
687 | |
688 | if (unchecked_prefix_len) { |
689 | if (unchecked_prefix_len >= len) { |
690 | unchecked_prefix_len -= len; |
691 | continue; |
692 | } |
693 | offset += unchecked_prefix_len; |
694 | len -= unchecked_prefix_len; |
695 | unchecked_prefix_len = 0; |
696 | } |
697 | len = min(len, len_to_check); |
698 | actual_output = page_address(sg_page(sg)) + offset; |
699 | if (memcmp(expected_output, actual_output, len) != 0) |
700 | return -EINVAL; |
701 | if (check_poison && |
702 | !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN)) |
703 | return -EOVERFLOW; |
704 | len_to_check -= len; |
705 | expected_output += len; |
706 | } |
707 | if (WARN_ON(len_to_check != 0)) |
708 | return -EINVAL; |
709 | return 0; |
710 | } |
711 | |
712 | static bool is_test_sglist_corrupted(const struct test_sglist *tsgl) |
713 | { |
714 | unsigned int i; |
715 | |
716 | for (i = 0; i < tsgl->nents; i++) { |
717 | if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link) |
718 | return true; |
719 | if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset) |
720 | return true; |
721 | if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length) |
722 | return true; |
723 | } |
724 | return false; |
725 | } |
726 | |
727 | struct cipher_test_sglists { |
728 | struct test_sglist src; |
729 | struct test_sglist dst; |
730 | }; |
731 | |
732 | static struct cipher_test_sglists *alloc_cipher_test_sglists(void) |
733 | { |
734 | struct cipher_test_sglists *tsgls; |
735 | |
736 | tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL); |
737 | if (!tsgls) |
738 | return NULL; |
739 | |
740 | if (init_test_sglist(&tsgls->src) != 0) |
741 | goto fail_kfree; |
742 | if (init_test_sglist(&tsgls->dst) != 0) |
743 | goto fail_destroy_src; |
744 | |
745 | return tsgls; |
746 | |
747 | fail_destroy_src: |
748 | destroy_test_sglist(&tsgls->src); |
749 | fail_kfree: |
750 | kfree(tsgls); |
751 | return NULL; |
752 | } |
753 | |
754 | static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls) |
755 | { |
756 | if (tsgls) { |
757 | destroy_test_sglist(&tsgls->src); |
758 | destroy_test_sglist(&tsgls->dst); |
759 | kfree(tsgls); |
760 | } |
761 | } |
762 | |
763 | /* Build the src and dst scatterlists for an skcipher or AEAD test */ |
764 | static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls, |
765 | const struct testvec_config *cfg, |
766 | unsigned int alignmask, |
767 | unsigned int src_total_len, |
768 | unsigned int dst_total_len, |
769 | const struct kvec *inputs, |
770 | unsigned int nr_inputs) |
771 | { |
772 | struct iov_iter input; |
773 | int err; |
774 | |
775 | iov_iter_kvec(&input, ITER_SOURCE, inputs, nr_inputs, src_total_len); |
776 | err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask, |
777 | cfg->inplace_mode != OUT_OF_PLACE ? |
778 | max(dst_total_len, src_total_len) : |
779 | src_total_len, |
780 | &input, NULL); |
781 | if (err) |
782 | return err; |
783 | |
784 | /* |
785 | * In-place crypto operations can use the same scatterlist for both the |
786 | * source and destination (req->src == req->dst), or can use separate |
787 | * scatterlists (req->src != req->dst) which point to the same |
788 | * underlying memory. Make sure to test both cases. |
789 | */ |
790 | if (cfg->inplace_mode == INPLACE_ONE_SGLIST) { |
791 | tsgls->dst.sgl_ptr = tsgls->src.sgl; |
792 | tsgls->dst.nents = tsgls->src.nents; |
793 | return 0; |
794 | } |
795 | if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) { |
796 | /* |
797 | * For now we keep it simple and only test the case where the |
798 | * two scatterlists have identical entries, rather than |
799 | * different entries that split up the same memory differently. |
800 | */ |
801 | memcpy(tsgls->dst.sgl, tsgls->src.sgl, |
802 | tsgls->src.nents * sizeof(tsgls->src.sgl[0])); |
803 | memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl, |
804 | tsgls->src.nents * sizeof(tsgls->src.sgl[0])); |
805 | tsgls->dst.sgl_ptr = tsgls->dst.sgl; |
806 | tsgls->dst.nents = tsgls->src.nents; |
807 | return 0; |
808 | } |
809 | /* Out of place */ |
810 | return build_test_sglist(&tsgls->dst, |
811 | cfg->dst_divs[0].proportion_of_total ? |
812 | cfg->dst_divs : cfg->src_divs, |
813 | alignmask, dst_total_len, NULL, NULL); |
814 | } |
815 | |
816 | /* |
817 | * Support for testing passing a misaligned key to setkey(): |
818 | * |
819 | * If cfg->key_offset is set, copy the key into a new buffer at that offset, |
820 | * optionally adding alignmask. Else, just use the key directly. |
821 | */ |
822 | static int prepare_keybuf(const u8 *key, unsigned int ksize, |
823 | const struct testvec_config *cfg, |
824 | unsigned int alignmask, |
825 | const u8 **keybuf_ret, const u8 **keyptr_ret) |
826 | { |
827 | unsigned int key_offset = cfg->key_offset; |
828 | u8 *keybuf = NULL, *keyptr = (u8 *)key; |
829 | |
830 | if (key_offset != 0) { |
831 | if (cfg->key_offset_relative_to_alignmask) |
832 | key_offset += alignmask; |
833 | keybuf = kmalloc(key_offset + ksize, GFP_KERNEL); |
834 | if (!keybuf) |
835 | return -ENOMEM; |
836 | keyptr = keybuf + key_offset; |
837 | memcpy(keyptr, key, ksize); |
838 | } |
839 | *keybuf_ret = keybuf; |
840 | *keyptr_ret = keyptr; |
841 | return 0; |
842 | } |
843 | |
844 | /* Like setkey_f(tfm, key, ksize), but sometimes misalign the key */ |
845 | #define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask) \ |
846 | ({ \ |
847 | const u8 *keybuf, *keyptr; \ |
848 | int err; \ |
849 | \ |
850 | err = prepare_keybuf((key), (ksize), (cfg), (alignmask), \ |
851 | &keybuf, &keyptr); \ |
852 | if (err == 0) { \ |
853 | err = setkey_f((tfm), keyptr, (ksize)); \ |
854 | kfree(keybuf); \ |
855 | } \ |
856 | err; \ |
857 | }) |
858 | |
859 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
860 | |
861 | /* |
862 | * The fuzz tests use prandom instead of the normal Linux RNG since they don't |
863 | * need cryptographically secure random numbers. This greatly improves the |
864 | * performance of these tests, especially if they are run before the Linux RNG |
865 | * has been initialized or if they are run on a lockdep-enabled kernel. |
866 | */ |
867 | |
868 | static inline void init_rnd_state(struct rnd_state *rng) |
869 | { |
870 | prandom_seed_state(rng, get_random_u64()); |
871 | } |
872 | |
873 | static inline u8 prandom_u8(struct rnd_state *rng) |
874 | { |
875 | return prandom_u32_state(rng); |
876 | } |
877 | |
878 | static inline u32 prandom_u32_below(struct rnd_state *rng, u32 ceil) |
879 | { |
880 | /* |
881 | * This is slightly biased for non-power-of-2 values of 'ceil', but this |
882 | * isn't important here. |
883 | */ |
884 | return prandom_u32_state(rng) % ceil; |
885 | } |
886 | |
887 | static inline bool prandom_bool(struct rnd_state *rng) |
888 | { |
889 | return prandom_u32_below(rng, 2); |
890 | } |
891 | |
892 | static inline u32 prandom_u32_inclusive(struct rnd_state *rng, |
893 | u32 floor, u32 ceil) |
894 | { |
895 | return floor + prandom_u32_below(rng, ceil - floor + 1); |
896 | } |
897 | |
898 | /* Generate a random length in range [0, max_len], but prefer smaller values */ |
899 | static unsigned int generate_random_length(struct rnd_state *rng, |
900 | unsigned int max_len) |
901 | { |
902 | unsigned int len = prandom_u32_below(rng, max_len + 1); |
903 | |
904 | switch (prandom_u32_below(rng, 4)) { |
905 | case 0: |
906 | return len % 64; |
907 | case 1: |
908 | return len % 256; |
909 | case 2: |
910 | return len % 1024; |
911 | default: |
912 | return len; |
913 | } |
914 | } |
915 | |
916 | /* Flip a random bit in the given nonempty data buffer */ |
917 | static void flip_random_bit(struct rnd_state *rng, u8 *buf, size_t size) |
918 | { |
919 | size_t bitpos; |
920 | |
921 | bitpos = prandom_u32_below(rng, size * 8); |
922 | buf[bitpos / 8] ^= 1 << (bitpos % 8); |
923 | } |
924 | |
925 | /* Flip a random byte in the given nonempty data buffer */ |
926 | static void flip_random_byte(struct rnd_state *rng, u8 *buf, size_t size) |
927 | { |
928 | buf[prandom_u32_below(rng, size)] ^= 0xff; |
929 | } |
930 | |
931 | /* Sometimes make some random changes to the given nonempty data buffer */ |
932 | static void mutate_buffer(struct rnd_state *rng, u8 *buf, size_t size) |
933 | { |
934 | size_t num_flips; |
935 | size_t i; |
936 | |
937 | /* Sometimes flip some bits */ |
938 | if (prandom_u32_below(rng, 4) == 0) { |
939 | num_flips = min_t(size_t, 1 << prandom_u32_below(rng, 8), |
940 | size * 8); |
941 | for (i = 0; i < num_flips; i++) |
942 | flip_random_bit(rng, buf, size); |
943 | } |
944 | |
945 | /* Sometimes flip some bytes */ |
946 | if (prandom_u32_below(rng, 4) == 0) { |
947 | num_flips = min_t(size_t, 1 << prandom_u32_below(rng, 8), size); |
948 | for (i = 0; i < num_flips; i++) |
949 | flip_random_byte(rng, buf, size); |
950 | } |
951 | } |
952 | |
953 | /* Randomly generate 'count' bytes, but sometimes make them "interesting" */ |
954 | static void generate_random_bytes(struct rnd_state *rng, u8 *buf, size_t count) |
955 | { |
956 | u8 b; |
957 | u8 increment; |
958 | size_t i; |
959 | |
960 | if (count == 0) |
961 | return; |
962 | |
963 | switch (prandom_u32_below(rng, 8)) { /* Choose a generation strategy */ |
964 | case 0: |
965 | case 1: |
966 | /* All the same byte, plus optional mutations */ |
967 | switch (prandom_u32_below(rng, 4)) { |
968 | case 0: |
969 | b = 0x00; |
970 | break; |
971 | case 1: |
972 | b = 0xff; |
973 | break; |
974 | default: |
975 | b = prandom_u8(rng); |
976 | break; |
977 | } |
978 | memset(buf, b, count); |
979 | mutate_buffer(rng, buf, count); |
980 | break; |
981 | case 2: |
982 | /* Ascending or descending bytes, plus optional mutations */ |
983 | increment = prandom_u8(rng); |
984 | b = prandom_u8(rng); |
985 | for (i = 0; i < count; i++, b += increment) |
986 | buf[i] = b; |
987 | mutate_buffer(rng, buf, count); |
988 | break; |
989 | default: |
990 | /* Fully random bytes */ |
991 | prandom_bytes_state(rng, buf, count); |
992 | } |
993 | } |
994 | |
995 | static char *generate_random_sgl_divisions(struct rnd_state *rng, |
996 | struct test_sg_division *divs, |
997 | size_t max_divs, char *p, char *end, |
998 | bool gen_flushes, u32 req_flags) |
999 | { |
1000 | struct test_sg_division *div = divs; |
1001 | unsigned int remaining = TEST_SG_TOTAL; |
1002 | |
1003 | do { |
1004 | unsigned int this_len; |
1005 | const char *flushtype_str; |
1006 | |
1007 | if (div == &divs[max_divs - 1] || prandom_bool(rng)) |
1008 | this_len = remaining; |
1009 | else |
1010 | this_len = prandom_u32_inclusive(rng, 1, remaining); |
1011 | div->proportion_of_total = this_len; |
1012 | |
1013 | if (prandom_u32_below(rng, 4) == 0) |
1014 | div->offset = prandom_u32_inclusive(rng, |
1015 | PAGE_SIZE - 128, |
1016 | PAGE_SIZE - 1); |
1017 | else if (prandom_bool(rng)) |
1018 | div->offset = prandom_u32_below(rng, 32); |
1019 | else |
1020 | div->offset = prandom_u32_below(rng, PAGE_SIZE); |
1021 | if (prandom_u32_below(rng, 8) == 0) |
1022 | div->offset_relative_to_alignmask = true; |
1023 | |
1024 | div->flush_type = FLUSH_TYPE_NONE; |
1025 | if (gen_flushes) { |
1026 | switch (prandom_u32_below(rng, 4)) { |
1027 | case 0: |
1028 | div->flush_type = FLUSH_TYPE_REIMPORT; |
1029 | break; |
1030 | case 1: |
1031 | div->flush_type = FLUSH_TYPE_FLUSH; |
1032 | break; |
1033 | } |
1034 | } |
1035 | |
1036 | if (div->flush_type != FLUSH_TYPE_NONE && |
1037 | !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) && |
1038 | prandom_bool(rng)) |
1039 | div->nosimd = true; |
1040 | |
1041 | switch (div->flush_type) { |
1042 | case FLUSH_TYPE_FLUSH: |
1043 | if (div->nosimd) |
1044 | flushtype_str = "<flush,nosimd>" ; |
1045 | else |
1046 | flushtype_str = "<flush>" ; |
1047 | break; |
1048 | case FLUSH_TYPE_REIMPORT: |
1049 | if (div->nosimd) |
1050 | flushtype_str = "<reimport,nosimd>" ; |
1051 | else |
1052 | flushtype_str = "<reimport>" ; |
1053 | break; |
1054 | default: |
1055 | flushtype_str = "" ; |
1056 | break; |
1057 | } |
1058 | |
1059 | BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */ |
1060 | p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s" , flushtype_str, |
1061 | this_len / 100, this_len % 100, |
1062 | div->offset_relative_to_alignmask ? |
1063 | "alignmask" : "" , |
1064 | div->offset, this_len == remaining ? "" : ", " ); |
1065 | remaining -= this_len; |
1066 | div++; |
1067 | } while (remaining); |
1068 | |
1069 | return p; |
1070 | } |
1071 | |
1072 | /* Generate a random testvec_config for fuzz testing */ |
1073 | static void generate_random_testvec_config(struct rnd_state *rng, |
1074 | struct testvec_config *cfg, |
1075 | char *name, size_t max_namelen) |
1076 | { |
1077 | char *p = name; |
1078 | char * const end = name + max_namelen; |
1079 | |
1080 | memset(cfg, 0, sizeof(*cfg)); |
1081 | |
1082 | cfg->name = name; |
1083 | |
1084 | p += scnprintf(p, end - p, "random:" ); |
1085 | |
1086 | switch (prandom_u32_below(rng, 4)) { |
1087 | case 0: |
1088 | case 1: |
1089 | cfg->inplace_mode = OUT_OF_PLACE; |
1090 | break; |
1091 | case 2: |
1092 | cfg->inplace_mode = INPLACE_ONE_SGLIST; |
1093 | p += scnprintf(p, end - p, " inplace_one_sglist" ); |
1094 | break; |
1095 | default: |
1096 | cfg->inplace_mode = INPLACE_TWO_SGLISTS; |
1097 | p += scnprintf(p, end - p, " inplace_two_sglists" ); |
1098 | break; |
1099 | } |
1100 | |
1101 | if (prandom_bool(rng)) { |
1102 | cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP; |
1103 | p += scnprintf(p, end - p, " may_sleep" ); |
1104 | } |
1105 | |
1106 | switch (prandom_u32_below(rng, 4)) { |
1107 | case 0: |
1108 | cfg->finalization_type = FINALIZATION_TYPE_FINAL; |
1109 | p += scnprintf(p, end - p, " use_final" ); |
1110 | break; |
1111 | case 1: |
1112 | cfg->finalization_type = FINALIZATION_TYPE_FINUP; |
1113 | p += scnprintf(p, end - p, " use_finup" ); |
1114 | break; |
1115 | default: |
1116 | cfg->finalization_type = FINALIZATION_TYPE_DIGEST; |
1117 | p += scnprintf(p, end - p, " use_digest" ); |
1118 | break; |
1119 | } |
1120 | |
1121 | if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) && prandom_bool(rng)) { |
1122 | cfg->nosimd = true; |
1123 | p += scnprintf(p, end - p, " nosimd" ); |
1124 | } |
1125 | |
1126 | p += scnprintf(p, end - p, " src_divs=[" ); |
1127 | p = generate_random_sgl_divisions(rng, cfg->src_divs, |
1128 | ARRAY_SIZE(cfg->src_divs), p, end, |
1129 | (cfg->finalization_type != |
1130 | FINALIZATION_TYPE_DIGEST), |
1131 | cfg->req_flags); |
1132 | p += scnprintf(p, end - p, "]" ); |
1133 | |
1134 | if (cfg->inplace_mode == OUT_OF_PLACE && prandom_bool(rng)) { |
1135 | p += scnprintf(p, end - p, " dst_divs=[" ); |
1136 | p = generate_random_sgl_divisions(rng, cfg->dst_divs, |
1137 | ARRAY_SIZE(cfg->dst_divs), |
1138 | p, end, false, |
1139 | cfg->req_flags); |
1140 | p += scnprintf(p, end - p, "]" ); |
1141 | } |
1142 | |
1143 | if (prandom_bool(rng)) { |
1144 | cfg->iv_offset = prandom_u32_inclusive(rng, 1, |
1145 | MAX_ALGAPI_ALIGNMASK); |
1146 | p += scnprintf(p, end - p, " iv_offset=%u" , cfg->iv_offset); |
1147 | } |
1148 | |
1149 | if (prandom_bool(rng)) { |
1150 | cfg->key_offset = prandom_u32_inclusive(rng, 1, |
1151 | MAX_ALGAPI_ALIGNMASK); |
1152 | p += scnprintf(p, end - p, " key_offset=%u" , cfg->key_offset); |
1153 | } |
1154 | |
1155 | WARN_ON_ONCE(!valid_testvec_config(cfg)); |
1156 | } |
1157 | |
1158 | static void crypto_disable_simd_for_test(void) |
1159 | { |
1160 | migrate_disable(); |
1161 | __this_cpu_write(crypto_simd_disabled_for_test, true); |
1162 | } |
1163 | |
1164 | static void crypto_reenable_simd_for_test(void) |
1165 | { |
1166 | __this_cpu_write(crypto_simd_disabled_for_test, false); |
1167 | migrate_enable(); |
1168 | } |
1169 | |
1170 | /* |
1171 | * Given an algorithm name, build the name of the generic implementation of that |
1172 | * algorithm, assuming the usual naming convention. Specifically, this appends |
1173 | * "-generic" to every part of the name that is not a template name. Examples: |
1174 | * |
1175 | * aes => aes-generic |
1176 | * cbc(aes) => cbc(aes-generic) |
1177 | * cts(cbc(aes)) => cts(cbc(aes-generic)) |
1178 | * rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic) |
1179 | * |
1180 | * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long |
1181 | */ |
1182 | static int build_generic_driver_name(const char *algname, |
1183 | char driver_name[CRYPTO_MAX_ALG_NAME]) |
1184 | { |
1185 | const char *in = algname; |
1186 | char *out = driver_name; |
1187 | size_t len = strlen(algname); |
1188 | |
1189 | if (len >= CRYPTO_MAX_ALG_NAME) |
1190 | goto too_long; |
1191 | do { |
1192 | const char *in_saved = in; |
1193 | |
1194 | while (*in && *in != '(' && *in != ')' && *in != ',') |
1195 | *out++ = *in++; |
1196 | if (*in != '(' && in > in_saved) { |
1197 | len += 8; |
1198 | if (len >= CRYPTO_MAX_ALG_NAME) |
1199 | goto too_long; |
1200 | memcpy(out, "-generic" , 8); |
1201 | out += 8; |
1202 | } |
1203 | } while ((*out++ = *in++) != '\0'); |
1204 | return 0; |
1205 | |
1206 | too_long: |
1207 | pr_err("alg: generic driver name for \"%s\" would be too long\n" , |
1208 | algname); |
1209 | return -ENAMETOOLONG; |
1210 | } |
1211 | #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
1212 | static void crypto_disable_simd_for_test(void) |
1213 | { |
1214 | } |
1215 | |
1216 | static void crypto_reenable_simd_for_test(void) |
1217 | { |
1218 | } |
1219 | #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
1220 | |
1221 | static int build_hash_sglist(struct test_sglist *tsgl, |
1222 | const struct hash_testvec *vec, |
1223 | const struct testvec_config *cfg, |
1224 | unsigned int alignmask, |
1225 | const struct test_sg_division *divs[XBUFSIZE]) |
1226 | { |
1227 | struct kvec kv; |
1228 | struct iov_iter input; |
1229 | |
1230 | kv.iov_base = (void *)vec->plaintext; |
1231 | kv.iov_len = vec->psize; |
1232 | iov_iter_kvec(&input, ITER_SOURCE, &kv, 1, vec->psize); |
1233 | return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize, |
1234 | &input, divs); |
1235 | } |
1236 | |
1237 | static int check_hash_result(const char *type, |
1238 | const u8 *result, unsigned int digestsize, |
1239 | const struct hash_testvec *vec, |
1240 | const char *vec_name, |
1241 | const char *driver, |
1242 | const struct testvec_config *cfg) |
1243 | { |
1244 | if (memcmp(result, vec->digest, digestsize) != 0) { |
1245 | pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n" , |
1246 | type, driver, vec_name, cfg->name); |
1247 | return -EINVAL; |
1248 | } |
1249 | if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) { |
1250 | pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n" , |
1251 | type, driver, vec_name, cfg->name); |
1252 | return -EOVERFLOW; |
1253 | } |
1254 | return 0; |
1255 | } |
1256 | |
1257 | static inline int check_shash_op(const char *op, int err, |
1258 | const char *driver, const char *vec_name, |
1259 | const struct testvec_config *cfg) |
1260 | { |
1261 | if (err) |
1262 | pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n" , |
1263 | driver, op, err, vec_name, cfg->name); |
1264 | return err; |
1265 | } |
1266 | |
1267 | /* Test one hash test vector in one configuration, using the shash API */ |
1268 | static int test_shash_vec_cfg(const struct hash_testvec *vec, |
1269 | const char *vec_name, |
1270 | const struct testvec_config *cfg, |
1271 | struct shash_desc *desc, |
1272 | struct test_sglist *tsgl, |
1273 | u8 *hashstate) |
1274 | { |
1275 | struct crypto_shash *tfm = desc->tfm; |
1276 | const unsigned int digestsize = crypto_shash_digestsize(tfm); |
1277 | const unsigned int statesize = crypto_shash_statesize(tfm); |
1278 | const char *driver = crypto_shash_driver_name(tfm); |
1279 | const struct test_sg_division *divs[XBUFSIZE]; |
1280 | unsigned int i; |
1281 | u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN]; |
1282 | int err; |
1283 | |
1284 | /* Set the key, if specified */ |
1285 | if (vec->ksize) { |
1286 | err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize, |
1287 | cfg, 0); |
1288 | if (err) { |
1289 | if (err == vec->setkey_error) |
1290 | return 0; |
1291 | pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n" , |
1292 | driver, vec_name, vec->setkey_error, err, |
1293 | crypto_shash_get_flags(tfm)); |
1294 | return err; |
1295 | } |
1296 | if (vec->setkey_error) { |
1297 | pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n" , |
1298 | driver, vec_name, vec->setkey_error); |
1299 | return -EINVAL; |
1300 | } |
1301 | } |
1302 | |
1303 | /* Build the scatterlist for the source data */ |
1304 | err = build_hash_sglist(tsgl, vec, cfg, 0, divs); |
1305 | if (err) { |
1306 | pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n" , |
1307 | driver, vec_name, cfg->name); |
1308 | return err; |
1309 | } |
1310 | |
1311 | /* Do the actual hashing */ |
1312 | |
1313 | testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm)); |
1314 | testmgr_poison(result, digestsize + TESTMGR_POISON_LEN); |
1315 | |
1316 | if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST || |
1317 | vec->digest_error) { |
1318 | /* Just using digest() */ |
1319 | if (tsgl->nents != 1) |
1320 | return 0; |
1321 | if (cfg->nosimd) |
1322 | crypto_disable_simd_for_test(); |
1323 | err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]), |
1324 | tsgl->sgl[0].length, result); |
1325 | if (cfg->nosimd) |
1326 | crypto_reenable_simd_for_test(); |
1327 | if (err) { |
1328 | if (err == vec->digest_error) |
1329 | return 0; |
1330 | pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n" , |
1331 | driver, vec_name, vec->digest_error, err, |
1332 | cfg->name); |
1333 | return err; |
1334 | } |
1335 | if (vec->digest_error) { |
1336 | pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n" , |
1337 | driver, vec_name, vec->digest_error, cfg->name); |
1338 | return -EINVAL; |
1339 | } |
1340 | goto result_ready; |
1341 | } |
1342 | |
1343 | /* Using init(), zero or more update(), then final() or finup() */ |
1344 | |
1345 | if (cfg->nosimd) |
1346 | crypto_disable_simd_for_test(); |
1347 | err = crypto_shash_init(desc); |
1348 | if (cfg->nosimd) |
1349 | crypto_reenable_simd_for_test(); |
1350 | err = check_shash_op("init" , err, driver, vec_name, cfg); |
1351 | if (err) |
1352 | return err; |
1353 | |
1354 | for (i = 0; i < tsgl->nents; i++) { |
1355 | if (i + 1 == tsgl->nents && |
1356 | cfg->finalization_type == FINALIZATION_TYPE_FINUP) { |
1357 | if (divs[i]->nosimd) |
1358 | crypto_disable_simd_for_test(); |
1359 | err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]), |
1360 | tsgl->sgl[i].length, result); |
1361 | if (divs[i]->nosimd) |
1362 | crypto_reenable_simd_for_test(); |
1363 | err = check_shash_op("finup" , err, driver, vec_name, |
1364 | cfg); |
1365 | if (err) |
1366 | return err; |
1367 | goto result_ready; |
1368 | } |
1369 | if (divs[i]->nosimd) |
1370 | crypto_disable_simd_for_test(); |
1371 | err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]), |
1372 | tsgl->sgl[i].length); |
1373 | if (divs[i]->nosimd) |
1374 | crypto_reenable_simd_for_test(); |
1375 | err = check_shash_op("update" , err, driver, vec_name, cfg); |
1376 | if (err) |
1377 | return err; |
1378 | if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) { |
1379 | /* Test ->export() and ->import() */ |
1380 | testmgr_poison(hashstate + statesize, |
1381 | TESTMGR_POISON_LEN); |
1382 | err = crypto_shash_export(desc, hashstate); |
1383 | err = check_shash_op("export" , err, driver, vec_name, |
1384 | cfg); |
1385 | if (err) |
1386 | return err; |
1387 | if (!testmgr_is_poison(hashstate + statesize, |
1388 | TESTMGR_POISON_LEN)) { |
1389 | pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n" , |
1390 | driver, vec_name, cfg->name); |
1391 | return -EOVERFLOW; |
1392 | } |
1393 | testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm)); |
1394 | err = crypto_shash_import(desc, hashstate); |
1395 | err = check_shash_op("import" , err, driver, vec_name, |
1396 | cfg); |
1397 | if (err) |
1398 | return err; |
1399 | } |
1400 | } |
1401 | |
1402 | if (cfg->nosimd) |
1403 | crypto_disable_simd_for_test(); |
1404 | err = crypto_shash_final(desc, result); |
1405 | if (cfg->nosimd) |
1406 | crypto_reenable_simd_for_test(); |
1407 | err = check_shash_op("final" , err, driver, vec_name, cfg); |
1408 | if (err) |
1409 | return err; |
1410 | result_ready: |
1411 | return check_hash_result("shash" , result, digestsize, vec, vec_name, |
1412 | driver, cfg); |
1413 | } |
1414 | |
1415 | static int do_ahash_op(int (*op)(struct ahash_request *req), |
1416 | struct ahash_request *req, |
1417 | struct crypto_wait *wait, bool nosimd) |
1418 | { |
1419 | int err; |
1420 | |
1421 | if (nosimd) |
1422 | crypto_disable_simd_for_test(); |
1423 | |
1424 | err = op(req); |
1425 | |
1426 | if (nosimd) |
1427 | crypto_reenable_simd_for_test(); |
1428 | |
1429 | return crypto_wait_req(err, wait); |
1430 | } |
1431 | |
1432 | static int check_nonfinal_ahash_op(const char *op, int err, |
1433 | u8 *result, unsigned int digestsize, |
1434 | const char *driver, const char *vec_name, |
1435 | const struct testvec_config *cfg) |
1436 | { |
1437 | if (err) { |
1438 | pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n" , |
1439 | driver, op, err, vec_name, cfg->name); |
1440 | return err; |
1441 | } |
1442 | if (!testmgr_is_poison(result, digestsize)) { |
1443 | pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n" , |
1444 | driver, op, vec_name, cfg->name); |
1445 | return -EINVAL; |
1446 | } |
1447 | return 0; |
1448 | } |
1449 | |
1450 | /* Test one hash test vector in one configuration, using the ahash API */ |
1451 | static int test_ahash_vec_cfg(const struct hash_testvec *vec, |
1452 | const char *vec_name, |
1453 | const struct testvec_config *cfg, |
1454 | struct ahash_request *req, |
1455 | struct test_sglist *tsgl, |
1456 | u8 *hashstate) |
1457 | { |
1458 | struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); |
1459 | const unsigned int digestsize = crypto_ahash_digestsize(tfm); |
1460 | const unsigned int statesize = crypto_ahash_statesize(tfm); |
1461 | const char *driver = crypto_ahash_driver_name(tfm); |
1462 | const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags; |
1463 | const struct test_sg_division *divs[XBUFSIZE]; |
1464 | DECLARE_CRYPTO_WAIT(wait); |
1465 | unsigned int i; |
1466 | struct scatterlist *pending_sgl; |
1467 | unsigned int pending_len; |
1468 | u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN]; |
1469 | int err; |
1470 | |
1471 | /* Set the key, if specified */ |
1472 | if (vec->ksize) { |
1473 | err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize, |
1474 | cfg, 0); |
1475 | if (err) { |
1476 | if (err == vec->setkey_error) |
1477 | return 0; |
1478 | pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n" , |
1479 | driver, vec_name, vec->setkey_error, err, |
1480 | crypto_ahash_get_flags(tfm)); |
1481 | return err; |
1482 | } |
1483 | if (vec->setkey_error) { |
1484 | pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n" , |
1485 | driver, vec_name, vec->setkey_error); |
1486 | return -EINVAL; |
1487 | } |
1488 | } |
1489 | |
1490 | /* Build the scatterlist for the source data */ |
1491 | err = build_hash_sglist(tsgl, vec, cfg, 0, divs); |
1492 | if (err) { |
1493 | pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n" , |
1494 | driver, vec_name, cfg->name); |
1495 | return err; |
1496 | } |
1497 | |
1498 | /* Do the actual hashing */ |
1499 | |
1500 | testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm)); |
1501 | testmgr_poison(result, digestsize + TESTMGR_POISON_LEN); |
1502 | |
1503 | if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST || |
1504 | vec->digest_error) { |
1505 | /* Just using digest() */ |
1506 | ahash_request_set_callback(req, req_flags, crypto_req_done, |
1507 | &wait); |
1508 | ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize); |
1509 | err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd); |
1510 | if (err) { |
1511 | if (err == vec->digest_error) |
1512 | return 0; |
1513 | pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n" , |
1514 | driver, vec_name, vec->digest_error, err, |
1515 | cfg->name); |
1516 | return err; |
1517 | } |
1518 | if (vec->digest_error) { |
1519 | pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n" , |
1520 | driver, vec_name, vec->digest_error, cfg->name); |
1521 | return -EINVAL; |
1522 | } |
1523 | goto result_ready; |
1524 | } |
1525 | |
1526 | /* Using init(), zero or more update(), then final() or finup() */ |
1527 | |
1528 | ahash_request_set_callback(req, req_flags, crypto_req_done, &wait); |
1529 | ahash_request_set_crypt(req, NULL, result, 0); |
1530 | err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd); |
1531 | err = check_nonfinal_ahash_op("init" , err, result, digestsize, |
1532 | driver, vec_name, cfg); |
1533 | if (err) |
1534 | return err; |
1535 | |
1536 | pending_sgl = NULL; |
1537 | pending_len = 0; |
1538 | for (i = 0; i < tsgl->nents; i++) { |
1539 | if (divs[i]->flush_type != FLUSH_TYPE_NONE && |
1540 | pending_sgl != NULL) { |
1541 | /* update() with the pending data */ |
1542 | ahash_request_set_callback(req, req_flags, |
1543 | crypto_req_done, &wait); |
1544 | ahash_request_set_crypt(req, pending_sgl, result, |
1545 | pending_len); |
1546 | err = do_ahash_op(crypto_ahash_update, req, &wait, |
1547 | divs[i]->nosimd); |
1548 | err = check_nonfinal_ahash_op("update" , err, |
1549 | result, digestsize, |
1550 | driver, vec_name, cfg); |
1551 | if (err) |
1552 | return err; |
1553 | pending_sgl = NULL; |
1554 | pending_len = 0; |
1555 | } |
1556 | if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) { |
1557 | /* Test ->export() and ->import() */ |
1558 | testmgr_poison(hashstate + statesize, |
1559 | TESTMGR_POISON_LEN); |
1560 | err = crypto_ahash_export(req, hashstate); |
1561 | err = check_nonfinal_ahash_op("export" , err, |
1562 | result, digestsize, |
1563 | driver, vec_name, cfg); |
1564 | if (err) |
1565 | return err; |
1566 | if (!testmgr_is_poison(hashstate + statesize, |
1567 | TESTMGR_POISON_LEN)) { |
1568 | pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n" , |
1569 | driver, vec_name, cfg->name); |
1570 | return -EOVERFLOW; |
1571 | } |
1572 | |
1573 | testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm)); |
1574 | err = crypto_ahash_import(req, hashstate); |
1575 | err = check_nonfinal_ahash_op("import" , err, |
1576 | result, digestsize, |
1577 | driver, vec_name, cfg); |
1578 | if (err) |
1579 | return err; |
1580 | } |
1581 | if (pending_sgl == NULL) |
1582 | pending_sgl = &tsgl->sgl[i]; |
1583 | pending_len += tsgl->sgl[i].length; |
1584 | } |
1585 | |
1586 | ahash_request_set_callback(req, req_flags, crypto_req_done, &wait); |
1587 | ahash_request_set_crypt(req, pending_sgl, result, pending_len); |
1588 | if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) { |
1589 | /* finish with update() and final() */ |
1590 | err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd); |
1591 | err = check_nonfinal_ahash_op("update" , err, result, digestsize, |
1592 | driver, vec_name, cfg); |
1593 | if (err) |
1594 | return err; |
1595 | err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd); |
1596 | if (err) { |
1597 | pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n" , |
1598 | driver, err, vec_name, cfg->name); |
1599 | return err; |
1600 | } |
1601 | } else { |
1602 | /* finish with finup() */ |
1603 | err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd); |
1604 | if (err) { |
1605 | pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n" , |
1606 | driver, err, vec_name, cfg->name); |
1607 | return err; |
1608 | } |
1609 | } |
1610 | |
1611 | result_ready: |
1612 | return check_hash_result("ahash" , result, digestsize, vec, vec_name, |
1613 | driver, cfg); |
1614 | } |
1615 | |
1616 | static int test_hash_vec_cfg(const struct hash_testvec *vec, |
1617 | const char *vec_name, |
1618 | const struct testvec_config *cfg, |
1619 | struct ahash_request *req, |
1620 | struct shash_desc *desc, |
1621 | struct test_sglist *tsgl, |
1622 | u8 *hashstate) |
1623 | { |
1624 | int err; |
1625 | |
1626 | /* |
1627 | * For algorithms implemented as "shash", most bugs will be detected by |
1628 | * both the shash and ahash tests. Test the shash API first so that the |
1629 | * failures involve less indirection, so are easier to debug. |
1630 | */ |
1631 | |
1632 | if (desc) { |
1633 | err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl, |
1634 | hashstate); |
1635 | if (err) |
1636 | return err; |
1637 | } |
1638 | |
1639 | return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate); |
1640 | } |
1641 | |
1642 | static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num, |
1643 | struct ahash_request *req, struct shash_desc *desc, |
1644 | struct test_sglist *tsgl, u8 *hashstate) |
1645 | { |
1646 | char vec_name[16]; |
1647 | unsigned int i; |
1648 | int err; |
1649 | |
1650 | sprintf(vec_name, "%u" , vec_num); |
1651 | |
1652 | for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) { |
1653 | err = test_hash_vec_cfg(vec, vec_name, |
1654 | &default_hash_testvec_configs[i], |
1655 | req, desc, tsgl, hashstate); |
1656 | if (err) |
1657 | return err; |
1658 | } |
1659 | |
1660 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
1661 | if (!noextratests) { |
1662 | struct rnd_state rng; |
1663 | struct testvec_config cfg; |
1664 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
1665 | |
1666 | init_rnd_state(&rng); |
1667 | |
1668 | for (i = 0; i < fuzz_iterations; i++) { |
1669 | generate_random_testvec_config(&rng, &cfg, cfgname, |
1670 | sizeof(cfgname)); |
1671 | err = test_hash_vec_cfg(vec, vec_name, &cfg, |
1672 | req, desc, tsgl, hashstate); |
1673 | if (err) |
1674 | return err; |
1675 | cond_resched(); |
1676 | } |
1677 | } |
1678 | #endif |
1679 | return 0; |
1680 | } |
1681 | |
1682 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
1683 | /* |
1684 | * Generate a hash test vector from the given implementation. |
1685 | * Assumes the buffers in 'vec' were already allocated. |
1686 | */ |
1687 | static void generate_random_hash_testvec(struct rnd_state *rng, |
1688 | struct shash_desc *desc, |
1689 | struct hash_testvec *vec, |
1690 | unsigned int maxkeysize, |
1691 | unsigned int maxdatasize, |
1692 | char *name, size_t max_namelen) |
1693 | { |
1694 | /* Data */ |
1695 | vec->psize = generate_random_length(rng, maxdatasize); |
1696 | generate_random_bytes(rng, (u8 *)vec->plaintext, vec->psize); |
1697 | |
1698 | /* |
1699 | * Key: length in range [1, maxkeysize], but usually choose maxkeysize. |
1700 | * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0. |
1701 | */ |
1702 | vec->setkey_error = 0; |
1703 | vec->ksize = 0; |
1704 | if (maxkeysize) { |
1705 | vec->ksize = maxkeysize; |
1706 | if (prandom_u32_below(rng, 4) == 0) |
1707 | vec->ksize = prandom_u32_inclusive(rng, 1, maxkeysize); |
1708 | generate_random_bytes(rng, (u8 *)vec->key, vec->ksize); |
1709 | |
1710 | vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key, |
1711 | vec->ksize); |
1712 | /* If the key couldn't be set, no need to continue to digest. */ |
1713 | if (vec->setkey_error) |
1714 | goto done; |
1715 | } |
1716 | |
1717 | /* Digest */ |
1718 | vec->digest_error = crypto_shash_digest(desc, vec->plaintext, |
1719 | vec->psize, (u8 *)vec->digest); |
1720 | done: |
1721 | snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"" , |
1722 | vec->psize, vec->ksize); |
1723 | } |
1724 | |
1725 | /* |
1726 | * Test the hash algorithm represented by @req against the corresponding generic |
1727 | * implementation, if one is available. |
1728 | */ |
1729 | static int test_hash_vs_generic_impl(const char *generic_driver, |
1730 | unsigned int maxkeysize, |
1731 | struct ahash_request *req, |
1732 | struct shash_desc *desc, |
1733 | struct test_sglist *tsgl, |
1734 | u8 *hashstate) |
1735 | { |
1736 | struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); |
1737 | const unsigned int digestsize = crypto_ahash_digestsize(tfm); |
1738 | const unsigned int blocksize = crypto_ahash_blocksize(tfm); |
1739 | const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN; |
1740 | const char *algname = crypto_hash_alg_common(tfm)->base.cra_name; |
1741 | const char *driver = crypto_ahash_driver_name(tfm); |
1742 | struct rnd_state rng; |
1743 | char _generic_driver[CRYPTO_MAX_ALG_NAME]; |
1744 | struct crypto_shash *generic_tfm = NULL; |
1745 | struct shash_desc *generic_desc = NULL; |
1746 | unsigned int i; |
1747 | struct hash_testvec vec = { 0 }; |
1748 | char vec_name[64]; |
1749 | struct testvec_config *cfg; |
1750 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
1751 | int err; |
1752 | |
1753 | if (noextratests) |
1754 | return 0; |
1755 | |
1756 | init_rnd_state(&rng); |
1757 | |
1758 | if (!generic_driver) { /* Use default naming convention? */ |
1759 | err = build_generic_driver_name(algname, _generic_driver); |
1760 | if (err) |
1761 | return err; |
1762 | generic_driver = _generic_driver; |
1763 | } |
1764 | |
1765 | if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */ |
1766 | return 0; |
1767 | |
1768 | generic_tfm = crypto_alloc_shash(generic_driver, 0, 0); |
1769 | if (IS_ERR(generic_tfm)) { |
1770 | err = PTR_ERR(generic_tfm); |
1771 | if (err == -ENOENT) { |
1772 | pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n" , |
1773 | driver, generic_driver); |
1774 | return 0; |
1775 | } |
1776 | pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n" , |
1777 | generic_driver, algname, err); |
1778 | return err; |
1779 | } |
1780 | |
1781 | cfg = kzalloc(sizeof(*cfg), GFP_KERNEL); |
1782 | if (!cfg) { |
1783 | err = -ENOMEM; |
1784 | goto out; |
1785 | } |
1786 | |
1787 | generic_desc = kzalloc(sizeof(*desc) + |
1788 | crypto_shash_descsize(generic_tfm), GFP_KERNEL); |
1789 | if (!generic_desc) { |
1790 | err = -ENOMEM; |
1791 | goto out; |
1792 | } |
1793 | generic_desc->tfm = generic_tfm; |
1794 | |
1795 | /* Check the algorithm properties for consistency. */ |
1796 | |
1797 | if (digestsize != crypto_shash_digestsize(generic_tfm)) { |
1798 | pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n" , |
1799 | driver, digestsize, |
1800 | crypto_shash_digestsize(generic_tfm)); |
1801 | err = -EINVAL; |
1802 | goto out; |
1803 | } |
1804 | |
1805 | if (blocksize != crypto_shash_blocksize(generic_tfm)) { |
1806 | pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n" , |
1807 | driver, blocksize, crypto_shash_blocksize(generic_tfm)); |
1808 | err = -EINVAL; |
1809 | goto out; |
1810 | } |
1811 | |
1812 | /* |
1813 | * Now generate test vectors using the generic implementation, and test |
1814 | * the other implementation against them. |
1815 | */ |
1816 | |
1817 | vec.key = kmalloc(maxkeysize, GFP_KERNEL); |
1818 | vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL); |
1819 | vec.digest = kmalloc(digestsize, GFP_KERNEL); |
1820 | if (!vec.key || !vec.plaintext || !vec.digest) { |
1821 | err = -ENOMEM; |
1822 | goto out; |
1823 | } |
1824 | |
1825 | for (i = 0; i < fuzz_iterations * 8; i++) { |
1826 | generate_random_hash_testvec(&rng, generic_desc, &vec, |
1827 | maxkeysize, maxdatasize, |
1828 | vec_name, sizeof(vec_name)); |
1829 | generate_random_testvec_config(&rng, cfg, cfgname, |
1830 | sizeof(cfgname)); |
1831 | |
1832 | err = test_hash_vec_cfg(&vec, vec_name, cfg, |
1833 | req, desc, tsgl, hashstate); |
1834 | if (err) |
1835 | goto out; |
1836 | cond_resched(); |
1837 | } |
1838 | err = 0; |
1839 | out: |
1840 | kfree(cfg); |
1841 | kfree(vec.key); |
1842 | kfree(vec.plaintext); |
1843 | kfree(vec.digest); |
1844 | crypto_free_shash(generic_tfm); |
1845 | kfree_sensitive(generic_desc); |
1846 | return err; |
1847 | } |
1848 | #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
1849 | static int test_hash_vs_generic_impl(const char *generic_driver, |
1850 | unsigned int maxkeysize, |
1851 | struct ahash_request *req, |
1852 | struct shash_desc *desc, |
1853 | struct test_sglist *tsgl, |
1854 | u8 *hashstate) |
1855 | { |
1856 | return 0; |
1857 | } |
1858 | #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
1859 | |
1860 | static int alloc_shash(const char *driver, u32 type, u32 mask, |
1861 | struct crypto_shash **tfm_ret, |
1862 | struct shash_desc **desc_ret) |
1863 | { |
1864 | struct crypto_shash *tfm; |
1865 | struct shash_desc *desc; |
1866 | |
1867 | tfm = crypto_alloc_shash(driver, type, mask); |
1868 | if (IS_ERR(tfm)) { |
1869 | if (PTR_ERR(tfm) == -ENOENT) { |
1870 | /* |
1871 | * This algorithm is only available through the ahash |
1872 | * API, not the shash API, so skip the shash tests. |
1873 | */ |
1874 | return 0; |
1875 | } |
1876 | pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n" , |
1877 | driver, PTR_ERR(tfm)); |
1878 | return PTR_ERR(tfm); |
1879 | } |
1880 | |
1881 | desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); |
1882 | if (!desc) { |
1883 | crypto_free_shash(tfm); |
1884 | return -ENOMEM; |
1885 | } |
1886 | desc->tfm = tfm; |
1887 | |
1888 | *tfm_ret = tfm; |
1889 | *desc_ret = desc; |
1890 | return 0; |
1891 | } |
1892 | |
1893 | static int __alg_test_hash(const struct hash_testvec *vecs, |
1894 | unsigned int num_vecs, const char *driver, |
1895 | u32 type, u32 mask, |
1896 | const char *generic_driver, unsigned int maxkeysize) |
1897 | { |
1898 | struct crypto_ahash *atfm = NULL; |
1899 | struct ahash_request *req = NULL; |
1900 | struct crypto_shash *stfm = NULL; |
1901 | struct shash_desc *desc = NULL; |
1902 | struct test_sglist *tsgl = NULL; |
1903 | u8 *hashstate = NULL; |
1904 | unsigned int statesize; |
1905 | unsigned int i; |
1906 | int err; |
1907 | |
1908 | /* |
1909 | * Always test the ahash API. This works regardless of whether the |
1910 | * algorithm is implemented as ahash or shash. |
1911 | */ |
1912 | |
1913 | atfm = crypto_alloc_ahash(driver, type, mask); |
1914 | if (IS_ERR(atfm)) { |
1915 | pr_err("alg: hash: failed to allocate transform for %s: %ld\n" , |
1916 | driver, PTR_ERR(atfm)); |
1917 | return PTR_ERR(atfm); |
1918 | } |
1919 | driver = crypto_ahash_driver_name(atfm); |
1920 | |
1921 | req = ahash_request_alloc(atfm, GFP_KERNEL); |
1922 | if (!req) { |
1923 | pr_err("alg: hash: failed to allocate request for %s\n" , |
1924 | driver); |
1925 | err = -ENOMEM; |
1926 | goto out; |
1927 | } |
1928 | |
1929 | /* |
1930 | * If available also test the shash API, to cover corner cases that may |
1931 | * be missed by testing the ahash API only. |
1932 | */ |
1933 | err = alloc_shash(driver, type, mask, &stfm, &desc); |
1934 | if (err) |
1935 | goto out; |
1936 | |
1937 | tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL); |
1938 | if (!tsgl || init_test_sglist(tsgl) != 0) { |
1939 | pr_err("alg: hash: failed to allocate test buffers for %s\n" , |
1940 | driver); |
1941 | kfree(tsgl); |
1942 | tsgl = NULL; |
1943 | err = -ENOMEM; |
1944 | goto out; |
1945 | } |
1946 | |
1947 | statesize = crypto_ahash_statesize(atfm); |
1948 | if (stfm) |
1949 | statesize = max(statesize, crypto_shash_statesize(stfm)); |
1950 | hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL); |
1951 | if (!hashstate) { |
1952 | pr_err("alg: hash: failed to allocate hash state buffer for %s\n" , |
1953 | driver); |
1954 | err = -ENOMEM; |
1955 | goto out; |
1956 | } |
1957 | |
1958 | for (i = 0; i < num_vecs; i++) { |
1959 | if (fips_enabled && vecs[i].fips_skip) |
1960 | continue; |
1961 | |
1962 | err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate); |
1963 | if (err) |
1964 | goto out; |
1965 | cond_resched(); |
1966 | } |
1967 | err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req, |
1968 | desc, tsgl, hashstate); |
1969 | out: |
1970 | kfree(hashstate); |
1971 | if (tsgl) { |
1972 | destroy_test_sglist(tsgl); |
1973 | kfree(tsgl); |
1974 | } |
1975 | kfree(desc); |
1976 | crypto_free_shash(stfm); |
1977 | ahash_request_free(req); |
1978 | crypto_free_ahash(atfm); |
1979 | return err; |
1980 | } |
1981 | |
1982 | static int alg_test_hash(const struct alg_test_desc *desc, const char *driver, |
1983 | u32 type, u32 mask) |
1984 | { |
1985 | const struct hash_testvec *template = desc->suite.hash.vecs; |
1986 | unsigned int tcount = desc->suite.hash.count; |
1987 | unsigned int nr_unkeyed, nr_keyed; |
1988 | unsigned int maxkeysize = 0; |
1989 | int err; |
1990 | |
1991 | /* |
1992 | * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests |
1993 | * first, before setting a key on the tfm. To make this easier, we |
1994 | * require that the unkeyed test vectors (if any) are listed first. |
1995 | */ |
1996 | |
1997 | for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) { |
1998 | if (template[nr_unkeyed].ksize) |
1999 | break; |
2000 | } |
2001 | for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) { |
2002 | if (!template[nr_unkeyed + nr_keyed].ksize) { |
2003 | pr_err("alg: hash: test vectors for %s out of order, " |
2004 | "unkeyed ones must come first\n" , desc->alg); |
2005 | return -EINVAL; |
2006 | } |
2007 | maxkeysize = max_t(unsigned int, maxkeysize, |
2008 | template[nr_unkeyed + nr_keyed].ksize); |
2009 | } |
2010 | |
2011 | err = 0; |
2012 | if (nr_unkeyed) { |
2013 | err = __alg_test_hash(template, nr_unkeyed, driver, type, mask, |
2014 | desc->generic_driver, maxkeysize); |
2015 | template += nr_unkeyed; |
2016 | } |
2017 | |
2018 | if (!err && nr_keyed) |
2019 | err = __alg_test_hash(template, nr_keyed, driver, type, mask, |
2020 | desc->generic_driver, maxkeysize); |
2021 | |
2022 | return err; |
2023 | } |
2024 | |
2025 | static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec, |
2026 | const char *vec_name, |
2027 | const struct testvec_config *cfg, |
2028 | struct aead_request *req, |
2029 | struct cipher_test_sglists *tsgls) |
2030 | { |
2031 | struct crypto_aead *tfm = crypto_aead_reqtfm(req); |
2032 | const unsigned int alignmask = crypto_aead_alignmask(tfm); |
2033 | const unsigned int ivsize = crypto_aead_ivsize(tfm); |
2034 | const unsigned int authsize = vec->clen - vec->plen; |
2035 | const char *driver = crypto_aead_driver_name(tfm); |
2036 | const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags; |
2037 | const char *op = enc ? "encryption" : "decryption" ; |
2038 | DECLARE_CRYPTO_WAIT(wait); |
2039 | u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN]; |
2040 | u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) + |
2041 | cfg->iv_offset + |
2042 | (cfg->iv_offset_relative_to_alignmask ? alignmask : 0); |
2043 | struct kvec input[2]; |
2044 | int err; |
2045 | |
2046 | /* Set the key */ |
2047 | if (vec->wk) |
2048 | crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
2049 | else |
2050 | crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
2051 | |
2052 | err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen, |
2053 | cfg, alignmask); |
2054 | if (err && err != vec->setkey_error) { |
2055 | pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n" , |
2056 | driver, vec_name, vec->setkey_error, err, |
2057 | crypto_aead_get_flags(tfm)); |
2058 | return err; |
2059 | } |
2060 | if (!err && vec->setkey_error) { |
2061 | pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n" , |
2062 | driver, vec_name, vec->setkey_error); |
2063 | return -EINVAL; |
2064 | } |
2065 | |
2066 | /* Set the authentication tag size */ |
2067 | err = crypto_aead_setauthsize(tfm, authsize); |
2068 | if (err && err != vec->setauthsize_error) { |
2069 | pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n" , |
2070 | driver, vec_name, vec->setauthsize_error, err); |
2071 | return err; |
2072 | } |
2073 | if (!err && vec->setauthsize_error) { |
2074 | pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n" , |
2075 | driver, vec_name, vec->setauthsize_error); |
2076 | return -EINVAL; |
2077 | } |
2078 | |
2079 | if (vec->setkey_error || vec->setauthsize_error) |
2080 | return 0; |
2081 | |
2082 | /* The IV must be copied to a buffer, as the algorithm may modify it */ |
2083 | if (WARN_ON(ivsize > MAX_IVLEN)) |
2084 | return -EINVAL; |
2085 | if (vec->iv) |
2086 | memcpy(iv, vec->iv, ivsize); |
2087 | else |
2088 | memset(iv, 0, ivsize); |
2089 | |
2090 | /* Build the src/dst scatterlists */ |
2091 | input[0].iov_base = (void *)vec->assoc; |
2092 | input[0].iov_len = vec->alen; |
2093 | input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext; |
2094 | input[1].iov_len = enc ? vec->plen : vec->clen; |
2095 | err = build_cipher_test_sglists(tsgls, cfg, alignmask, |
2096 | vec->alen + (enc ? vec->plen : |
2097 | vec->clen), |
2098 | vec->alen + (enc ? vec->clen : |
2099 | vec->plen), |
2100 | input, 2); |
2101 | if (err) { |
2102 | pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n" , |
2103 | driver, op, vec_name, cfg->name); |
2104 | return err; |
2105 | } |
2106 | |
2107 | /* Do the actual encryption or decryption */ |
2108 | testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm)); |
2109 | aead_request_set_callback(req, req_flags, crypto_req_done, &wait); |
2110 | aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr, |
2111 | enc ? vec->plen : vec->clen, iv); |
2112 | aead_request_set_ad(req, vec->alen); |
2113 | if (cfg->nosimd) |
2114 | crypto_disable_simd_for_test(); |
2115 | err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); |
2116 | if (cfg->nosimd) |
2117 | crypto_reenable_simd_for_test(); |
2118 | err = crypto_wait_req(err, &wait); |
2119 | |
2120 | /* Check that the algorithm didn't overwrite things it shouldn't have */ |
2121 | if (req->cryptlen != (enc ? vec->plen : vec->clen) || |
2122 | req->assoclen != vec->alen || |
2123 | req->iv != iv || |
2124 | req->src != tsgls->src.sgl_ptr || |
2125 | req->dst != tsgls->dst.sgl_ptr || |
2126 | crypto_aead_reqtfm(req) != tfm || |
2127 | req->base.complete != crypto_req_done || |
2128 | req->base.flags != req_flags || |
2129 | req->base.data != &wait) { |
2130 | pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n" , |
2131 | driver, op, vec_name, cfg->name); |
2132 | if (req->cryptlen != (enc ? vec->plen : vec->clen)) |
2133 | pr_err("alg: aead: changed 'req->cryptlen'\n" ); |
2134 | if (req->assoclen != vec->alen) |
2135 | pr_err("alg: aead: changed 'req->assoclen'\n" ); |
2136 | if (req->iv != iv) |
2137 | pr_err("alg: aead: changed 'req->iv'\n" ); |
2138 | if (req->src != tsgls->src.sgl_ptr) |
2139 | pr_err("alg: aead: changed 'req->src'\n" ); |
2140 | if (req->dst != tsgls->dst.sgl_ptr) |
2141 | pr_err("alg: aead: changed 'req->dst'\n" ); |
2142 | if (crypto_aead_reqtfm(req) != tfm) |
2143 | pr_err("alg: aead: changed 'req->base.tfm'\n" ); |
2144 | if (req->base.complete != crypto_req_done) |
2145 | pr_err("alg: aead: changed 'req->base.complete'\n" ); |
2146 | if (req->base.flags != req_flags) |
2147 | pr_err("alg: aead: changed 'req->base.flags'\n" ); |
2148 | if (req->base.data != &wait) |
2149 | pr_err("alg: aead: changed 'req->base.data'\n" ); |
2150 | return -EINVAL; |
2151 | } |
2152 | if (is_test_sglist_corrupted(&tsgls->src)) { |
2153 | pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n" , |
2154 | driver, op, vec_name, cfg->name); |
2155 | return -EINVAL; |
2156 | } |
2157 | if (tsgls->dst.sgl_ptr != tsgls->src.sgl && |
2158 | is_test_sglist_corrupted(&tsgls->dst)) { |
2159 | pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n" , |
2160 | driver, op, vec_name, cfg->name); |
2161 | return -EINVAL; |
2162 | } |
2163 | |
2164 | /* Check for unexpected success or failure, or wrong error code */ |
2165 | if ((err == 0 && vec->novrfy) || |
2166 | (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) { |
2167 | char expected_error[32]; |
2168 | |
2169 | if (vec->novrfy && |
2170 | vec->crypt_error != 0 && vec->crypt_error != -EBADMSG) |
2171 | sprintf(expected_error, "-EBADMSG or %d" , |
2172 | vec->crypt_error); |
2173 | else if (vec->novrfy) |
2174 | sprintf(expected_error, "-EBADMSG" ); |
2175 | else |
2176 | sprintf(expected_error, "%d" , vec->crypt_error); |
2177 | if (err) { |
2178 | pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n" , |
2179 | driver, op, vec_name, expected_error, err, |
2180 | cfg->name); |
2181 | return err; |
2182 | } |
2183 | pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n" , |
2184 | driver, op, vec_name, expected_error, cfg->name); |
2185 | return -EINVAL; |
2186 | } |
2187 | if (err) /* Expectedly failed. */ |
2188 | return 0; |
2189 | |
2190 | /* Check for the correct output (ciphertext or plaintext) */ |
2191 | err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext, |
2192 | enc ? vec->clen : vec->plen, |
2193 | vec->alen, |
2194 | enc || cfg->inplace_mode == OUT_OF_PLACE); |
2195 | if (err == -EOVERFLOW) { |
2196 | pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n" , |
2197 | driver, op, vec_name, cfg->name); |
2198 | return err; |
2199 | } |
2200 | if (err) { |
2201 | pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n" , |
2202 | driver, op, vec_name, cfg->name); |
2203 | return err; |
2204 | } |
2205 | |
2206 | return 0; |
2207 | } |
2208 | |
2209 | static int test_aead_vec(int enc, const struct aead_testvec *vec, |
2210 | unsigned int vec_num, struct aead_request *req, |
2211 | struct cipher_test_sglists *tsgls) |
2212 | { |
2213 | char vec_name[16]; |
2214 | unsigned int i; |
2215 | int err; |
2216 | |
2217 | if (enc && vec->novrfy) |
2218 | return 0; |
2219 | |
2220 | sprintf(vec_name, "%u" , vec_num); |
2221 | |
2222 | for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) { |
2223 | err = test_aead_vec_cfg(enc, vec, vec_name, |
2224 | &default_cipher_testvec_configs[i], |
2225 | req, tsgls); |
2226 | if (err) |
2227 | return err; |
2228 | } |
2229 | |
2230 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
2231 | if (!noextratests) { |
2232 | struct rnd_state rng; |
2233 | struct testvec_config cfg; |
2234 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
2235 | |
2236 | init_rnd_state(&rng); |
2237 | |
2238 | for (i = 0; i < fuzz_iterations; i++) { |
2239 | generate_random_testvec_config(&rng, &cfg, cfgname, |
2240 | sizeof(cfgname)); |
2241 | err = test_aead_vec_cfg(enc, vec, vec_name, |
2242 | &cfg, req, tsgls); |
2243 | if (err) |
2244 | return err; |
2245 | cond_resched(); |
2246 | } |
2247 | } |
2248 | #endif |
2249 | return 0; |
2250 | } |
2251 | |
2252 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
2253 | |
2254 | struct aead_extra_tests_ctx { |
2255 | struct rnd_state rng; |
2256 | struct aead_request *req; |
2257 | struct crypto_aead *tfm; |
2258 | const struct alg_test_desc *test_desc; |
2259 | struct cipher_test_sglists *tsgls; |
2260 | unsigned int maxdatasize; |
2261 | unsigned int maxkeysize; |
2262 | |
2263 | struct aead_testvec vec; |
2264 | char vec_name[64]; |
2265 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
2266 | struct testvec_config cfg; |
2267 | }; |
2268 | |
2269 | /* |
2270 | * Make at least one random change to a (ciphertext, AAD) pair. "Ciphertext" |
2271 | * here means the full ciphertext including the authentication tag. The |
2272 | * authentication tag (and hence also the ciphertext) is assumed to be nonempty. |
2273 | */ |
2274 | static void mutate_aead_message(struct rnd_state *rng, |
2275 | struct aead_testvec *vec, bool aad_iv, |
2276 | unsigned int ivsize) |
2277 | { |
2278 | const unsigned int aad_tail_size = aad_iv ? ivsize : 0; |
2279 | const unsigned int authsize = vec->clen - vec->plen; |
2280 | |
2281 | if (prandom_bool(rng) && vec->alen > aad_tail_size) { |
2282 | /* Mutate the AAD */ |
2283 | flip_random_bit(rng, (u8 *)vec->assoc, |
2284 | vec->alen - aad_tail_size); |
2285 | if (prandom_bool(rng)) |
2286 | return; |
2287 | } |
2288 | if (prandom_bool(rng)) { |
2289 | /* Mutate auth tag (assuming it's at the end of ciphertext) */ |
2290 | flip_random_bit(rng, (u8 *)vec->ctext + vec->plen, authsize); |
2291 | } else { |
2292 | /* Mutate any part of the ciphertext */ |
2293 | flip_random_bit(rng, (u8 *)vec->ctext, vec->clen); |
2294 | } |
2295 | } |
2296 | |
2297 | /* |
2298 | * Minimum authentication tag size in bytes at which we assume that we can |
2299 | * reliably generate inauthentic messages, i.e. not generate an authentic |
2300 | * message by chance. |
2301 | */ |
2302 | #define MIN_COLLISION_FREE_AUTHSIZE 8 |
2303 | |
2304 | static void generate_aead_message(struct rnd_state *rng, |
2305 | struct aead_request *req, |
2306 | const struct aead_test_suite *suite, |
2307 | struct aead_testvec *vec, |
2308 | bool prefer_inauthentic) |
2309 | { |
2310 | struct crypto_aead *tfm = crypto_aead_reqtfm(req); |
2311 | const unsigned int ivsize = crypto_aead_ivsize(tfm); |
2312 | const unsigned int authsize = vec->clen - vec->plen; |
2313 | const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) && |
2314 | (prefer_inauthentic || |
2315 | prandom_u32_below(rng, 4) == 0); |
2316 | |
2317 | /* Generate the AAD. */ |
2318 | generate_random_bytes(rng, (u8 *)vec->assoc, vec->alen); |
2319 | if (suite->aad_iv && vec->alen >= ivsize) |
2320 | /* Avoid implementation-defined behavior. */ |
2321 | memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize); |
2322 | |
2323 | if (inauthentic && prandom_bool(rng)) { |
2324 | /* Generate a random ciphertext. */ |
2325 | generate_random_bytes(rng, (u8 *)vec->ctext, vec->clen); |
2326 | } else { |
2327 | int i = 0; |
2328 | struct scatterlist src[2], dst; |
2329 | u8 iv[MAX_IVLEN]; |
2330 | DECLARE_CRYPTO_WAIT(wait); |
2331 | |
2332 | /* Generate a random plaintext and encrypt it. */ |
2333 | sg_init_table(src, 2); |
2334 | if (vec->alen) |
2335 | sg_set_buf(&src[i++], vec->assoc, vec->alen); |
2336 | if (vec->plen) { |
2337 | generate_random_bytes(rng, (u8 *)vec->ptext, vec->plen); |
2338 | sg_set_buf(&src[i++], vec->ptext, vec->plen); |
2339 | } |
2340 | sg_init_one(&dst, vec->ctext, vec->alen + vec->clen); |
2341 | memcpy(iv, vec->iv, ivsize); |
2342 | aead_request_set_callback(req, 0, crypto_req_done, &wait); |
2343 | aead_request_set_crypt(req, src, &dst, vec->plen, iv); |
2344 | aead_request_set_ad(req, vec->alen); |
2345 | vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req), |
2346 | &wait); |
2347 | /* If encryption failed, we're done. */ |
2348 | if (vec->crypt_error != 0) |
2349 | return; |
2350 | memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen); |
2351 | if (!inauthentic) |
2352 | return; |
2353 | /* |
2354 | * Mutate the authentic (ciphertext, AAD) pair to get an |
2355 | * inauthentic one. |
2356 | */ |
2357 | mutate_aead_message(rng, vec, suite->aad_iv, ivsize); |
2358 | } |
2359 | vec->novrfy = 1; |
2360 | if (suite->einval_allowed) |
2361 | vec->crypt_error = -EINVAL; |
2362 | } |
2363 | |
2364 | /* |
2365 | * Generate an AEAD test vector 'vec' using the implementation specified by |
2366 | * 'req'. The buffers in 'vec' must already be allocated. |
2367 | * |
2368 | * If 'prefer_inauthentic' is true, then this function will generate inauthentic |
2369 | * test vectors (i.e. vectors with 'vec->novrfy=1') more often. |
2370 | */ |
2371 | static void generate_random_aead_testvec(struct rnd_state *rng, |
2372 | struct aead_request *req, |
2373 | struct aead_testvec *vec, |
2374 | const struct aead_test_suite *suite, |
2375 | unsigned int maxkeysize, |
2376 | unsigned int maxdatasize, |
2377 | char *name, size_t max_namelen, |
2378 | bool prefer_inauthentic) |
2379 | { |
2380 | struct crypto_aead *tfm = crypto_aead_reqtfm(req); |
2381 | const unsigned int ivsize = crypto_aead_ivsize(tfm); |
2382 | const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm); |
2383 | unsigned int authsize; |
2384 | unsigned int total_len; |
2385 | |
2386 | /* Key: length in [0, maxkeysize], but usually choose maxkeysize */ |
2387 | vec->klen = maxkeysize; |
2388 | if (prandom_u32_below(rng, 4) == 0) |
2389 | vec->klen = prandom_u32_below(rng, maxkeysize + 1); |
2390 | generate_random_bytes(rng, (u8 *)vec->key, vec->klen); |
2391 | vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen); |
2392 | |
2393 | /* IV */ |
2394 | generate_random_bytes(rng, (u8 *)vec->iv, ivsize); |
2395 | |
2396 | /* Tag length: in [0, maxauthsize], but usually choose maxauthsize */ |
2397 | authsize = maxauthsize; |
2398 | if (prandom_u32_below(rng, 4) == 0) |
2399 | authsize = prandom_u32_below(rng, maxauthsize + 1); |
2400 | if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE) |
2401 | authsize = MIN_COLLISION_FREE_AUTHSIZE; |
2402 | if (WARN_ON(authsize > maxdatasize)) |
2403 | authsize = maxdatasize; |
2404 | maxdatasize -= authsize; |
2405 | vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize); |
2406 | |
2407 | /* AAD, plaintext, and ciphertext lengths */ |
2408 | total_len = generate_random_length(rng, maxdatasize); |
2409 | if (prandom_u32_below(rng, 4) == 0) |
2410 | vec->alen = 0; |
2411 | else |
2412 | vec->alen = generate_random_length(rng, total_len); |
2413 | vec->plen = total_len - vec->alen; |
2414 | vec->clen = vec->plen + authsize; |
2415 | |
2416 | /* |
2417 | * Generate the AAD, plaintext, and ciphertext. Not applicable if the |
2418 | * key or the authentication tag size couldn't be set. |
2419 | */ |
2420 | vec->novrfy = 0; |
2421 | vec->crypt_error = 0; |
2422 | if (vec->setkey_error == 0 && vec->setauthsize_error == 0) |
2423 | generate_aead_message(rng, req, suite, vec, prefer_inauthentic); |
2424 | snprintf(name, max_namelen, |
2425 | "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"" , |
2426 | vec->alen, vec->plen, authsize, vec->klen, vec->novrfy); |
2427 | } |
2428 | |
2429 | static void try_to_generate_inauthentic_testvec( |
2430 | struct aead_extra_tests_ctx *ctx) |
2431 | { |
2432 | int i; |
2433 | |
2434 | for (i = 0; i < 10; i++) { |
2435 | generate_random_aead_testvec(&ctx->rng, ctx->req, &ctx->vec, |
2436 | &ctx->test_desc->suite.aead, |
2437 | ctx->maxkeysize, ctx->maxdatasize, |
2438 | ctx->vec_name, |
2439 | sizeof(ctx->vec_name), true); |
2440 | if (ctx->vec.novrfy) |
2441 | return; |
2442 | } |
2443 | } |
2444 | |
2445 | /* |
2446 | * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the |
2447 | * result of an encryption with the key) and verify that decryption fails. |
2448 | */ |
2449 | static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx) |
2450 | { |
2451 | unsigned int i; |
2452 | int err; |
2453 | |
2454 | for (i = 0; i < fuzz_iterations * 8; i++) { |
2455 | /* |
2456 | * Since this part of the tests isn't comparing the |
2457 | * implementation to another, there's no point in testing any |
2458 | * test vectors other than inauthentic ones (vec.novrfy=1) here. |
2459 | * |
2460 | * If we're having trouble generating such a test vector, e.g. |
2461 | * if the algorithm keeps rejecting the generated keys, don't |
2462 | * retry forever; just continue on. |
2463 | */ |
2464 | try_to_generate_inauthentic_testvec(ctx); |
2465 | if (ctx->vec.novrfy) { |
2466 | generate_random_testvec_config(&ctx->rng, &ctx->cfg, |
2467 | ctx->cfgname, |
2468 | sizeof(ctx->cfgname)); |
2469 | err = test_aead_vec_cfg(DECRYPT, &ctx->vec, |
2470 | ctx->vec_name, &ctx->cfg, |
2471 | ctx->req, ctx->tsgls); |
2472 | if (err) |
2473 | return err; |
2474 | } |
2475 | cond_resched(); |
2476 | } |
2477 | return 0; |
2478 | } |
2479 | |
2480 | /* |
2481 | * Test the AEAD algorithm against the corresponding generic implementation, if |
2482 | * one is available. |
2483 | */ |
2484 | static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx) |
2485 | { |
2486 | struct crypto_aead *tfm = ctx->tfm; |
2487 | const char *algname = crypto_aead_alg(tfm)->base.cra_name; |
2488 | const char *driver = crypto_aead_driver_name(tfm); |
2489 | const char *generic_driver = ctx->test_desc->generic_driver; |
2490 | char _generic_driver[CRYPTO_MAX_ALG_NAME]; |
2491 | struct crypto_aead *generic_tfm = NULL; |
2492 | struct aead_request *generic_req = NULL; |
2493 | unsigned int i; |
2494 | int err; |
2495 | |
2496 | if (!generic_driver) { /* Use default naming convention? */ |
2497 | err = build_generic_driver_name(algname, _generic_driver); |
2498 | if (err) |
2499 | return err; |
2500 | generic_driver = _generic_driver; |
2501 | } |
2502 | |
2503 | if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */ |
2504 | return 0; |
2505 | |
2506 | generic_tfm = crypto_alloc_aead(generic_driver, 0, 0); |
2507 | if (IS_ERR(generic_tfm)) { |
2508 | err = PTR_ERR(generic_tfm); |
2509 | if (err == -ENOENT) { |
2510 | pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n" , |
2511 | driver, generic_driver); |
2512 | return 0; |
2513 | } |
2514 | pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n" , |
2515 | generic_driver, algname, err); |
2516 | return err; |
2517 | } |
2518 | |
2519 | generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL); |
2520 | if (!generic_req) { |
2521 | err = -ENOMEM; |
2522 | goto out; |
2523 | } |
2524 | |
2525 | /* Check the algorithm properties for consistency. */ |
2526 | |
2527 | if (crypto_aead_maxauthsize(tfm) != |
2528 | crypto_aead_maxauthsize(generic_tfm)) { |
2529 | pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n" , |
2530 | driver, crypto_aead_maxauthsize(tfm), |
2531 | crypto_aead_maxauthsize(generic_tfm)); |
2532 | err = -EINVAL; |
2533 | goto out; |
2534 | } |
2535 | |
2536 | if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) { |
2537 | pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n" , |
2538 | driver, crypto_aead_ivsize(tfm), |
2539 | crypto_aead_ivsize(generic_tfm)); |
2540 | err = -EINVAL; |
2541 | goto out; |
2542 | } |
2543 | |
2544 | if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) { |
2545 | pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n" , |
2546 | driver, crypto_aead_blocksize(tfm), |
2547 | crypto_aead_blocksize(generic_tfm)); |
2548 | err = -EINVAL; |
2549 | goto out; |
2550 | } |
2551 | |
2552 | /* |
2553 | * Now generate test vectors using the generic implementation, and test |
2554 | * the other implementation against them. |
2555 | */ |
2556 | for (i = 0; i < fuzz_iterations * 8; i++) { |
2557 | generate_random_aead_testvec(&ctx->rng, generic_req, &ctx->vec, |
2558 | &ctx->test_desc->suite.aead, |
2559 | ctx->maxkeysize, ctx->maxdatasize, |
2560 | ctx->vec_name, |
2561 | sizeof(ctx->vec_name), false); |
2562 | generate_random_testvec_config(&ctx->rng, &ctx->cfg, |
2563 | ctx->cfgname, |
2564 | sizeof(ctx->cfgname)); |
2565 | if (!ctx->vec.novrfy) { |
2566 | err = test_aead_vec_cfg(ENCRYPT, &ctx->vec, |
2567 | ctx->vec_name, &ctx->cfg, |
2568 | ctx->req, ctx->tsgls); |
2569 | if (err) |
2570 | goto out; |
2571 | } |
2572 | if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) { |
2573 | err = test_aead_vec_cfg(DECRYPT, &ctx->vec, |
2574 | ctx->vec_name, &ctx->cfg, |
2575 | ctx->req, ctx->tsgls); |
2576 | if (err) |
2577 | goto out; |
2578 | } |
2579 | cond_resched(); |
2580 | } |
2581 | err = 0; |
2582 | out: |
2583 | crypto_free_aead(generic_tfm); |
2584 | aead_request_free(generic_req); |
2585 | return err; |
2586 | } |
2587 | |
2588 | static int test_aead_extra(const struct alg_test_desc *test_desc, |
2589 | struct aead_request *req, |
2590 | struct cipher_test_sglists *tsgls) |
2591 | { |
2592 | struct aead_extra_tests_ctx *ctx; |
2593 | unsigned int i; |
2594 | int err; |
2595 | |
2596 | if (noextratests) |
2597 | return 0; |
2598 | |
2599 | ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); |
2600 | if (!ctx) |
2601 | return -ENOMEM; |
2602 | init_rnd_state(&ctx->rng); |
2603 | ctx->req = req; |
2604 | ctx->tfm = crypto_aead_reqtfm(req); |
2605 | ctx->test_desc = test_desc; |
2606 | ctx->tsgls = tsgls; |
2607 | ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN; |
2608 | ctx->maxkeysize = 0; |
2609 | for (i = 0; i < test_desc->suite.aead.count; i++) |
2610 | ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize, |
2611 | test_desc->suite.aead.vecs[i].klen); |
2612 | |
2613 | ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL); |
2614 | ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL); |
2615 | ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL); |
2616 | ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL); |
2617 | ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL); |
2618 | if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc || |
2619 | !ctx->vec.ptext || !ctx->vec.ctext) { |
2620 | err = -ENOMEM; |
2621 | goto out; |
2622 | } |
2623 | |
2624 | err = test_aead_vs_generic_impl(ctx); |
2625 | if (err) |
2626 | goto out; |
2627 | |
2628 | err = test_aead_inauthentic_inputs(ctx); |
2629 | out: |
2630 | kfree(ctx->vec.key); |
2631 | kfree(ctx->vec.iv); |
2632 | kfree(ctx->vec.assoc); |
2633 | kfree(ctx->vec.ptext); |
2634 | kfree(ctx->vec.ctext); |
2635 | kfree(ctx); |
2636 | return err; |
2637 | } |
2638 | #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
2639 | static int test_aead_extra(const struct alg_test_desc *test_desc, |
2640 | struct aead_request *req, |
2641 | struct cipher_test_sglists *tsgls) |
2642 | { |
2643 | return 0; |
2644 | } |
2645 | #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
2646 | |
2647 | static int test_aead(int enc, const struct aead_test_suite *suite, |
2648 | struct aead_request *req, |
2649 | struct cipher_test_sglists *tsgls) |
2650 | { |
2651 | unsigned int i; |
2652 | int err; |
2653 | |
2654 | for (i = 0; i < suite->count; i++) { |
2655 | err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls); |
2656 | if (err) |
2657 | return err; |
2658 | cond_resched(); |
2659 | } |
2660 | return 0; |
2661 | } |
2662 | |
2663 | static int alg_test_aead(const struct alg_test_desc *desc, const char *driver, |
2664 | u32 type, u32 mask) |
2665 | { |
2666 | const struct aead_test_suite *suite = &desc->suite.aead; |
2667 | struct crypto_aead *tfm; |
2668 | struct aead_request *req = NULL; |
2669 | struct cipher_test_sglists *tsgls = NULL; |
2670 | int err; |
2671 | |
2672 | if (suite->count <= 0) { |
2673 | pr_err("alg: aead: empty test suite for %s\n" , driver); |
2674 | return -EINVAL; |
2675 | } |
2676 | |
2677 | tfm = crypto_alloc_aead(driver, type, mask); |
2678 | if (IS_ERR(tfm)) { |
2679 | pr_err("alg: aead: failed to allocate transform for %s: %ld\n" , |
2680 | driver, PTR_ERR(tfm)); |
2681 | return PTR_ERR(tfm); |
2682 | } |
2683 | driver = crypto_aead_driver_name(tfm); |
2684 | |
2685 | req = aead_request_alloc(tfm, GFP_KERNEL); |
2686 | if (!req) { |
2687 | pr_err("alg: aead: failed to allocate request for %s\n" , |
2688 | driver); |
2689 | err = -ENOMEM; |
2690 | goto out; |
2691 | } |
2692 | |
2693 | tsgls = alloc_cipher_test_sglists(); |
2694 | if (!tsgls) { |
2695 | pr_err("alg: aead: failed to allocate test buffers for %s\n" , |
2696 | driver); |
2697 | err = -ENOMEM; |
2698 | goto out; |
2699 | } |
2700 | |
2701 | err = test_aead(ENCRYPT, suite, req, tsgls); |
2702 | if (err) |
2703 | goto out; |
2704 | |
2705 | err = test_aead(DECRYPT, suite, req, tsgls); |
2706 | if (err) |
2707 | goto out; |
2708 | |
2709 | err = test_aead_extra(desc, req, tsgls); |
2710 | out: |
2711 | free_cipher_test_sglists(tsgls); |
2712 | aead_request_free(req); |
2713 | crypto_free_aead(tfm); |
2714 | return err; |
2715 | } |
2716 | |
2717 | static int test_cipher(struct crypto_cipher *tfm, int enc, |
2718 | const struct cipher_testvec *template, |
2719 | unsigned int tcount) |
2720 | { |
2721 | const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm)); |
2722 | unsigned int i, j, k; |
2723 | char *q; |
2724 | const char *e; |
2725 | const char *input, *result; |
2726 | void *data; |
2727 | char *xbuf[XBUFSIZE]; |
2728 | int ret = -ENOMEM; |
2729 | |
2730 | if (testmgr_alloc_buf(xbuf)) |
2731 | goto out_nobuf; |
2732 | |
2733 | if (enc == ENCRYPT) |
2734 | e = "encryption" ; |
2735 | else |
2736 | e = "decryption" ; |
2737 | |
2738 | j = 0; |
2739 | for (i = 0; i < tcount; i++) { |
2740 | |
2741 | if (fips_enabled && template[i].fips_skip) |
2742 | continue; |
2743 | |
2744 | input = enc ? template[i].ptext : template[i].ctext; |
2745 | result = enc ? template[i].ctext : template[i].ptext; |
2746 | j++; |
2747 | |
2748 | ret = -EINVAL; |
2749 | if (WARN_ON(template[i].len > PAGE_SIZE)) |
2750 | goto out; |
2751 | |
2752 | data = xbuf[0]; |
2753 | memcpy(data, input, template[i].len); |
2754 | |
2755 | crypto_cipher_clear_flags(tfm, ~0); |
2756 | if (template[i].wk) |
2757 | crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
2758 | |
2759 | ret = crypto_cipher_setkey(tfm, template[i].key, |
2760 | template[i].klen); |
2761 | if (ret) { |
2762 | if (ret == template[i].setkey_error) |
2763 | continue; |
2764 | pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n" , |
2765 | algo, j, template[i].setkey_error, ret, |
2766 | crypto_cipher_get_flags(tfm)); |
2767 | goto out; |
2768 | } |
2769 | if (template[i].setkey_error) { |
2770 | pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n" , |
2771 | algo, j, template[i].setkey_error); |
2772 | ret = -EINVAL; |
2773 | goto out; |
2774 | } |
2775 | |
2776 | for (k = 0; k < template[i].len; |
2777 | k += crypto_cipher_blocksize(tfm)) { |
2778 | if (enc) |
2779 | crypto_cipher_encrypt_one(tfm, data + k, |
2780 | data + k); |
2781 | else |
2782 | crypto_cipher_decrypt_one(tfm, data + k, |
2783 | data + k); |
2784 | } |
2785 | |
2786 | q = data; |
2787 | if (memcmp(q, result, template[i].len)) { |
2788 | printk(KERN_ERR "alg: cipher: Test %d failed " |
2789 | "on %s for %s\n" , j, e, algo); |
2790 | hexdump(q, template[i].len); |
2791 | ret = -EINVAL; |
2792 | goto out; |
2793 | } |
2794 | } |
2795 | |
2796 | ret = 0; |
2797 | |
2798 | out: |
2799 | testmgr_free_buf(xbuf); |
2800 | out_nobuf: |
2801 | return ret; |
2802 | } |
2803 | |
2804 | static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec, |
2805 | const char *vec_name, |
2806 | const struct testvec_config *cfg, |
2807 | struct skcipher_request *req, |
2808 | struct cipher_test_sglists *tsgls) |
2809 | { |
2810 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
2811 | const unsigned int alignmask = crypto_skcipher_alignmask(tfm); |
2812 | const unsigned int ivsize = crypto_skcipher_ivsize(tfm); |
2813 | const char *driver = crypto_skcipher_driver_name(tfm); |
2814 | const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags; |
2815 | const char *op = enc ? "encryption" : "decryption" ; |
2816 | DECLARE_CRYPTO_WAIT(wait); |
2817 | u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN]; |
2818 | u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) + |
2819 | cfg->iv_offset + |
2820 | (cfg->iv_offset_relative_to_alignmask ? alignmask : 0); |
2821 | struct kvec input; |
2822 | int err; |
2823 | |
2824 | /* Set the key */ |
2825 | if (vec->wk) |
2826 | crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
2827 | else |
2828 | crypto_skcipher_clear_flags(tfm, |
2829 | CRYPTO_TFM_REQ_FORBID_WEAK_KEYS); |
2830 | err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen, |
2831 | cfg, alignmask); |
2832 | if (err) { |
2833 | if (err == vec->setkey_error) |
2834 | return 0; |
2835 | pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n" , |
2836 | driver, vec_name, vec->setkey_error, err, |
2837 | crypto_skcipher_get_flags(tfm)); |
2838 | return err; |
2839 | } |
2840 | if (vec->setkey_error) { |
2841 | pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n" , |
2842 | driver, vec_name, vec->setkey_error); |
2843 | return -EINVAL; |
2844 | } |
2845 | |
2846 | /* The IV must be copied to a buffer, as the algorithm may modify it */ |
2847 | if (ivsize) { |
2848 | if (WARN_ON(ivsize > MAX_IVLEN)) |
2849 | return -EINVAL; |
2850 | if (vec->generates_iv && !enc) |
2851 | memcpy(iv, vec->iv_out, ivsize); |
2852 | else if (vec->iv) |
2853 | memcpy(iv, vec->iv, ivsize); |
2854 | else |
2855 | memset(iv, 0, ivsize); |
2856 | } else { |
2857 | if (vec->generates_iv) { |
2858 | pr_err("alg: skcipher: %s has ivsize=0 but test vector %s generates IV!\n" , |
2859 | driver, vec_name); |
2860 | return -EINVAL; |
2861 | } |
2862 | iv = NULL; |
2863 | } |
2864 | |
2865 | /* Build the src/dst scatterlists */ |
2866 | input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext; |
2867 | input.iov_len = vec->len; |
2868 | err = build_cipher_test_sglists(tsgls, cfg, alignmask, |
2869 | vec->len, vec->len, &input, 1); |
2870 | if (err) { |
2871 | pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n" , |
2872 | driver, op, vec_name, cfg->name); |
2873 | return err; |
2874 | } |
2875 | |
2876 | /* Do the actual encryption or decryption */ |
2877 | testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm)); |
2878 | skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait); |
2879 | skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr, |
2880 | vec->len, iv); |
2881 | if (cfg->nosimd) |
2882 | crypto_disable_simd_for_test(); |
2883 | err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req); |
2884 | if (cfg->nosimd) |
2885 | crypto_reenable_simd_for_test(); |
2886 | err = crypto_wait_req(err, &wait); |
2887 | |
2888 | /* Check that the algorithm didn't overwrite things it shouldn't have */ |
2889 | if (req->cryptlen != vec->len || |
2890 | req->iv != iv || |
2891 | req->src != tsgls->src.sgl_ptr || |
2892 | req->dst != tsgls->dst.sgl_ptr || |
2893 | crypto_skcipher_reqtfm(req) != tfm || |
2894 | req->base.complete != crypto_req_done || |
2895 | req->base.flags != req_flags || |
2896 | req->base.data != &wait) { |
2897 | pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n" , |
2898 | driver, op, vec_name, cfg->name); |
2899 | if (req->cryptlen != vec->len) |
2900 | pr_err("alg: skcipher: changed 'req->cryptlen'\n" ); |
2901 | if (req->iv != iv) |
2902 | pr_err("alg: skcipher: changed 'req->iv'\n" ); |
2903 | if (req->src != tsgls->src.sgl_ptr) |
2904 | pr_err("alg: skcipher: changed 'req->src'\n" ); |
2905 | if (req->dst != tsgls->dst.sgl_ptr) |
2906 | pr_err("alg: skcipher: changed 'req->dst'\n" ); |
2907 | if (crypto_skcipher_reqtfm(req) != tfm) |
2908 | pr_err("alg: skcipher: changed 'req->base.tfm'\n" ); |
2909 | if (req->base.complete != crypto_req_done) |
2910 | pr_err("alg: skcipher: changed 'req->base.complete'\n" ); |
2911 | if (req->base.flags != req_flags) |
2912 | pr_err("alg: skcipher: changed 'req->base.flags'\n" ); |
2913 | if (req->base.data != &wait) |
2914 | pr_err("alg: skcipher: changed 'req->base.data'\n" ); |
2915 | return -EINVAL; |
2916 | } |
2917 | if (is_test_sglist_corrupted(&tsgls->src)) { |
2918 | pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n" , |
2919 | driver, op, vec_name, cfg->name); |
2920 | return -EINVAL; |
2921 | } |
2922 | if (tsgls->dst.sgl_ptr != tsgls->src.sgl && |
2923 | is_test_sglist_corrupted(&tsgls->dst)) { |
2924 | pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n" , |
2925 | driver, op, vec_name, cfg->name); |
2926 | return -EINVAL; |
2927 | } |
2928 | |
2929 | /* Check for success or failure */ |
2930 | if (err) { |
2931 | if (err == vec->crypt_error) |
2932 | return 0; |
2933 | pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n" , |
2934 | driver, op, vec_name, vec->crypt_error, err, cfg->name); |
2935 | return err; |
2936 | } |
2937 | if (vec->crypt_error) { |
2938 | pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n" , |
2939 | driver, op, vec_name, vec->crypt_error, cfg->name); |
2940 | return -EINVAL; |
2941 | } |
2942 | |
2943 | /* Check for the correct output (ciphertext or plaintext) */ |
2944 | err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext, |
2945 | vec->len, 0, true); |
2946 | if (err == -EOVERFLOW) { |
2947 | pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n" , |
2948 | driver, op, vec_name, cfg->name); |
2949 | return err; |
2950 | } |
2951 | if (err) { |
2952 | pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n" , |
2953 | driver, op, vec_name, cfg->name); |
2954 | return err; |
2955 | } |
2956 | |
2957 | /* If applicable, check that the algorithm generated the correct IV */ |
2958 | if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) { |
2959 | pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n" , |
2960 | driver, op, vec_name, cfg->name); |
2961 | hexdump(iv, ivsize); |
2962 | return -EINVAL; |
2963 | } |
2964 | |
2965 | return 0; |
2966 | } |
2967 | |
2968 | static int test_skcipher_vec(int enc, const struct cipher_testvec *vec, |
2969 | unsigned int vec_num, |
2970 | struct skcipher_request *req, |
2971 | struct cipher_test_sglists *tsgls) |
2972 | { |
2973 | char vec_name[16]; |
2974 | unsigned int i; |
2975 | int err; |
2976 | |
2977 | if (fips_enabled && vec->fips_skip) |
2978 | return 0; |
2979 | |
2980 | sprintf(vec_name, "%u" , vec_num); |
2981 | |
2982 | for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) { |
2983 | err = test_skcipher_vec_cfg(enc, vec, vec_name, |
2984 | &default_cipher_testvec_configs[i], |
2985 | req, tsgls); |
2986 | if (err) |
2987 | return err; |
2988 | } |
2989 | |
2990 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
2991 | if (!noextratests) { |
2992 | struct rnd_state rng; |
2993 | struct testvec_config cfg; |
2994 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
2995 | |
2996 | init_rnd_state(&rng); |
2997 | |
2998 | for (i = 0; i < fuzz_iterations; i++) { |
2999 | generate_random_testvec_config(&rng, &cfg, cfgname, |
3000 | sizeof(cfgname)); |
3001 | err = test_skcipher_vec_cfg(enc, vec, vec_name, |
3002 | &cfg, req, tsgls); |
3003 | if (err) |
3004 | return err; |
3005 | cond_resched(); |
3006 | } |
3007 | } |
3008 | #endif |
3009 | return 0; |
3010 | } |
3011 | |
3012 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
3013 | /* |
3014 | * Generate a symmetric cipher test vector from the given implementation. |
3015 | * Assumes the buffers in 'vec' were already allocated. |
3016 | */ |
3017 | static void generate_random_cipher_testvec(struct rnd_state *rng, |
3018 | struct skcipher_request *req, |
3019 | struct cipher_testvec *vec, |
3020 | unsigned int maxdatasize, |
3021 | char *name, size_t max_namelen) |
3022 | { |
3023 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
3024 | const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm); |
3025 | const unsigned int ivsize = crypto_skcipher_ivsize(tfm); |
3026 | struct scatterlist src, dst; |
3027 | u8 iv[MAX_IVLEN]; |
3028 | DECLARE_CRYPTO_WAIT(wait); |
3029 | |
3030 | /* Key: length in [0, maxkeysize], but usually choose maxkeysize */ |
3031 | vec->klen = maxkeysize; |
3032 | if (prandom_u32_below(rng, 4) == 0) |
3033 | vec->klen = prandom_u32_below(rng, maxkeysize + 1); |
3034 | generate_random_bytes(rng, (u8 *)vec->key, vec->klen); |
3035 | vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen); |
3036 | |
3037 | /* IV */ |
3038 | generate_random_bytes(rng, (u8 *)vec->iv, ivsize); |
3039 | |
3040 | /* Plaintext */ |
3041 | vec->len = generate_random_length(rng, maxdatasize); |
3042 | generate_random_bytes(rng, (u8 *)vec->ptext, vec->len); |
3043 | |
3044 | /* If the key couldn't be set, no need to continue to encrypt. */ |
3045 | if (vec->setkey_error) |
3046 | goto done; |
3047 | |
3048 | /* Ciphertext */ |
3049 | sg_init_one(&src, vec->ptext, vec->len); |
3050 | sg_init_one(&dst, vec->ctext, vec->len); |
3051 | memcpy(iv, vec->iv, ivsize); |
3052 | skcipher_request_set_callback(req, 0, crypto_req_done, &wait); |
3053 | skcipher_request_set_crypt(req, &src, &dst, vec->len, iv); |
3054 | vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait); |
3055 | if (vec->crypt_error != 0) { |
3056 | /* |
3057 | * The only acceptable error here is for an invalid length, so |
3058 | * skcipher decryption should fail with the same error too. |
3059 | * We'll test for this. But to keep the API usage well-defined, |
3060 | * explicitly initialize the ciphertext buffer too. |
3061 | */ |
3062 | memset((u8 *)vec->ctext, 0, vec->len); |
3063 | } |
3064 | done: |
3065 | snprintf(name, max_namelen, "\"random: len=%u klen=%u\"" , |
3066 | vec->len, vec->klen); |
3067 | } |
3068 | |
3069 | /* |
3070 | * Test the skcipher algorithm represented by @req against the corresponding |
3071 | * generic implementation, if one is available. |
3072 | */ |
3073 | static int test_skcipher_vs_generic_impl(const char *generic_driver, |
3074 | struct skcipher_request *req, |
3075 | struct cipher_test_sglists *tsgls) |
3076 | { |
3077 | struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); |
3078 | const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm); |
3079 | const unsigned int ivsize = crypto_skcipher_ivsize(tfm); |
3080 | const unsigned int blocksize = crypto_skcipher_blocksize(tfm); |
3081 | const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN; |
3082 | const char *algname = crypto_skcipher_alg(tfm)->base.cra_name; |
3083 | const char *driver = crypto_skcipher_driver_name(tfm); |
3084 | struct rnd_state rng; |
3085 | char _generic_driver[CRYPTO_MAX_ALG_NAME]; |
3086 | struct crypto_skcipher *generic_tfm = NULL; |
3087 | struct skcipher_request *generic_req = NULL; |
3088 | unsigned int i; |
3089 | struct cipher_testvec vec = { 0 }; |
3090 | char vec_name[64]; |
3091 | struct testvec_config *cfg; |
3092 | char cfgname[TESTVEC_CONFIG_NAMELEN]; |
3093 | int err; |
3094 | |
3095 | if (noextratests) |
3096 | return 0; |
3097 | |
3098 | /* Keywrap isn't supported here yet as it handles its IV differently. */ |
3099 | if (strncmp(algname, "kw(" , 3) == 0) |
3100 | return 0; |
3101 | |
3102 | init_rnd_state(&rng); |
3103 | |
3104 | if (!generic_driver) { /* Use default naming convention? */ |
3105 | err = build_generic_driver_name(algname, _generic_driver); |
3106 | if (err) |
3107 | return err; |
3108 | generic_driver = _generic_driver; |
3109 | } |
3110 | |
3111 | if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */ |
3112 | return 0; |
3113 | |
3114 | generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0); |
3115 | if (IS_ERR(generic_tfm)) { |
3116 | err = PTR_ERR(generic_tfm); |
3117 | if (err == -ENOENT) { |
3118 | pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n" , |
3119 | driver, generic_driver); |
3120 | return 0; |
3121 | } |
3122 | pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n" , |
3123 | generic_driver, algname, err); |
3124 | return err; |
3125 | } |
3126 | |
3127 | cfg = kzalloc(sizeof(*cfg), GFP_KERNEL); |
3128 | if (!cfg) { |
3129 | err = -ENOMEM; |
3130 | goto out; |
3131 | } |
3132 | |
3133 | generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL); |
3134 | if (!generic_req) { |
3135 | err = -ENOMEM; |
3136 | goto out; |
3137 | } |
3138 | |
3139 | /* Check the algorithm properties for consistency. */ |
3140 | |
3141 | if (crypto_skcipher_min_keysize(tfm) != |
3142 | crypto_skcipher_min_keysize(generic_tfm)) { |
3143 | pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n" , |
3144 | driver, crypto_skcipher_min_keysize(tfm), |
3145 | crypto_skcipher_min_keysize(generic_tfm)); |
3146 | err = -EINVAL; |
3147 | goto out; |
3148 | } |
3149 | |
3150 | if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) { |
3151 | pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n" , |
3152 | driver, maxkeysize, |
3153 | crypto_skcipher_max_keysize(generic_tfm)); |
3154 | err = -EINVAL; |
3155 | goto out; |
3156 | } |
3157 | |
3158 | if (ivsize != crypto_skcipher_ivsize(generic_tfm)) { |
3159 | pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n" , |
3160 | driver, ivsize, crypto_skcipher_ivsize(generic_tfm)); |
3161 | err = -EINVAL; |
3162 | goto out; |
3163 | } |
3164 | |
3165 | if (blocksize != crypto_skcipher_blocksize(generic_tfm)) { |
3166 | pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n" , |
3167 | driver, blocksize, |
3168 | crypto_skcipher_blocksize(generic_tfm)); |
3169 | err = -EINVAL; |
3170 | goto out; |
3171 | } |
3172 | |
3173 | /* |
3174 | * Now generate test vectors using the generic implementation, and test |
3175 | * the other implementation against them. |
3176 | */ |
3177 | |
3178 | vec.key = kmalloc(maxkeysize, GFP_KERNEL); |
3179 | vec.iv = kmalloc(ivsize, GFP_KERNEL); |
3180 | vec.ptext = kmalloc(maxdatasize, GFP_KERNEL); |
3181 | vec.ctext = kmalloc(maxdatasize, GFP_KERNEL); |
3182 | if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) { |
3183 | err = -ENOMEM; |
3184 | goto out; |
3185 | } |
3186 | |
3187 | for (i = 0; i < fuzz_iterations * 8; i++) { |
3188 | generate_random_cipher_testvec(&rng, generic_req, &vec, |
3189 | maxdatasize, |
3190 | vec_name, sizeof(vec_name)); |
3191 | generate_random_testvec_config(&rng, cfg, cfgname, |
3192 | sizeof(cfgname)); |
3193 | |
3194 | err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name, |
3195 | cfg, req, tsgls); |
3196 | if (err) |
3197 | goto out; |
3198 | err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name, |
3199 | cfg, req, tsgls); |
3200 | if (err) |
3201 | goto out; |
3202 | cond_resched(); |
3203 | } |
3204 | err = 0; |
3205 | out: |
3206 | kfree(cfg); |
3207 | kfree(vec.key); |
3208 | kfree(vec.iv); |
3209 | kfree(vec.ptext); |
3210 | kfree(vec.ctext); |
3211 | crypto_free_skcipher(generic_tfm); |
3212 | skcipher_request_free(generic_req); |
3213 | return err; |
3214 | } |
3215 | #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
3216 | static int test_skcipher_vs_generic_impl(const char *generic_driver, |
3217 | struct skcipher_request *req, |
3218 | struct cipher_test_sglists *tsgls) |
3219 | { |
3220 | return 0; |
3221 | } |
3222 | #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */ |
3223 | |
3224 | static int test_skcipher(int enc, const struct cipher_test_suite *suite, |
3225 | struct skcipher_request *req, |
3226 | struct cipher_test_sglists *tsgls) |
3227 | { |
3228 | unsigned int i; |
3229 | int err; |
3230 | |
3231 | for (i = 0; i < suite->count; i++) { |
3232 | err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls); |
3233 | if (err) |
3234 | return err; |
3235 | cond_resched(); |
3236 | } |
3237 | return 0; |
3238 | } |
3239 | |
3240 | static int alg_test_skcipher(const struct alg_test_desc *desc, |
3241 | const char *driver, u32 type, u32 mask) |
3242 | { |
3243 | const struct cipher_test_suite *suite = &desc->suite.cipher; |
3244 | struct crypto_skcipher *tfm; |
3245 | struct skcipher_request *req = NULL; |
3246 | struct cipher_test_sglists *tsgls = NULL; |
3247 | int err; |
3248 | |
3249 | if (suite->count <= 0) { |
3250 | pr_err("alg: skcipher: empty test suite for %s\n" , driver); |
3251 | return -EINVAL; |
3252 | } |
3253 | |
3254 | tfm = crypto_alloc_skcipher(driver, type, mask); |
3255 | if (IS_ERR(tfm)) { |
3256 | pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n" , |
3257 | driver, PTR_ERR(tfm)); |
3258 | return PTR_ERR(tfm); |
3259 | } |
3260 | driver = crypto_skcipher_driver_name(tfm); |
3261 | |
3262 | req = skcipher_request_alloc(tfm, GFP_KERNEL); |
3263 | if (!req) { |
3264 | pr_err("alg: skcipher: failed to allocate request for %s\n" , |
3265 | driver); |
3266 | err = -ENOMEM; |
3267 | goto out; |
3268 | } |
3269 | |
3270 | tsgls = alloc_cipher_test_sglists(); |
3271 | if (!tsgls) { |
3272 | pr_err("alg: skcipher: failed to allocate test buffers for %s\n" , |
3273 | driver); |
3274 | err = -ENOMEM; |
3275 | goto out; |
3276 | } |
3277 | |
3278 | err = test_skcipher(ENCRYPT, suite, req, tsgls); |
3279 | if (err) |
3280 | goto out; |
3281 | |
3282 | err = test_skcipher(DECRYPT, suite, req, tsgls); |
3283 | if (err) |
3284 | goto out; |
3285 | |
3286 | err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls); |
3287 | out: |
3288 | free_cipher_test_sglists(tsgls); |
3289 | skcipher_request_free(req); |
3290 | crypto_free_skcipher(tfm); |
3291 | return err; |
3292 | } |
3293 | |
3294 | static int test_comp(struct crypto_comp *tfm, |
3295 | const struct comp_testvec *ctemplate, |
3296 | const struct comp_testvec *dtemplate, |
3297 | int ctcount, int dtcount) |
3298 | { |
3299 | const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm)); |
3300 | char *output, *decomp_output; |
3301 | unsigned int i; |
3302 | int ret; |
3303 | |
3304 | output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL); |
3305 | if (!output) |
3306 | return -ENOMEM; |
3307 | |
3308 | decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL); |
3309 | if (!decomp_output) { |
3310 | kfree(output); |
3311 | return -ENOMEM; |
3312 | } |
3313 | |
3314 | for (i = 0; i < ctcount; i++) { |
3315 | int ilen; |
3316 | unsigned int dlen = COMP_BUF_SIZE; |
3317 | |
3318 | memset(output, 0, COMP_BUF_SIZE); |
3319 | memset(decomp_output, 0, COMP_BUF_SIZE); |
3320 | |
3321 | ilen = ctemplate[i].inlen; |
3322 | ret = crypto_comp_compress(tfm, ctemplate[i].input, |
3323 | ilen, output, &dlen); |
3324 | if (ret) { |
3325 | printk(KERN_ERR "alg: comp: compression failed " |
3326 | "on test %d for %s: ret=%d\n" , i + 1, algo, |
3327 | -ret); |
3328 | goto out; |
3329 | } |
3330 | |
3331 | ilen = dlen; |
3332 | dlen = COMP_BUF_SIZE; |
3333 | ret = crypto_comp_decompress(tfm, output, |
3334 | ilen, decomp_output, &dlen); |
3335 | if (ret) { |
3336 | pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n" , |
3337 | i + 1, algo, -ret); |
3338 | goto out; |
3339 | } |
3340 | |
3341 | if (dlen != ctemplate[i].inlen) { |
3342 | printk(KERN_ERR "alg: comp: Compression test %d " |
3343 | "failed for %s: output len = %d\n" , i + 1, algo, |
3344 | dlen); |
3345 | ret = -EINVAL; |
3346 | goto out; |
3347 | } |
3348 | |
3349 | if (memcmp(decomp_output, ctemplate[i].input, |
3350 | ctemplate[i].inlen)) { |
3351 | pr_err("alg: comp: compression failed: output differs: on test %d for %s\n" , |
3352 | i + 1, algo); |
3353 | hexdump(decomp_output, dlen); |
3354 | ret = -EINVAL; |
3355 | goto out; |
3356 | } |
3357 | } |
3358 | |
3359 | for (i = 0; i < dtcount; i++) { |
3360 | int ilen; |
3361 | unsigned int dlen = COMP_BUF_SIZE; |
3362 | |
3363 | memset(decomp_output, 0, COMP_BUF_SIZE); |
3364 | |
3365 | ilen = dtemplate[i].inlen; |
3366 | ret = crypto_comp_decompress(tfm, dtemplate[i].input, |
3367 | ilen, decomp_output, &dlen); |
3368 | if (ret) { |
3369 | printk(KERN_ERR "alg: comp: decompression failed " |
3370 | "on test %d for %s: ret=%d\n" , i + 1, algo, |
3371 | -ret); |
3372 | goto out; |
3373 | } |
3374 | |
3375 | if (dlen != dtemplate[i].outlen) { |
3376 | printk(KERN_ERR "alg: comp: Decompression test %d " |
3377 | "failed for %s: output len = %d\n" , i + 1, algo, |
3378 | dlen); |
3379 | ret = -EINVAL; |
3380 | goto out; |
3381 | } |
3382 | |
3383 | if (memcmp(decomp_output, dtemplate[i].output, dlen)) { |
3384 | printk(KERN_ERR "alg: comp: Decompression test %d " |
3385 | "failed for %s\n" , i + 1, algo); |
3386 | hexdump(decomp_output, dlen); |
3387 | ret = -EINVAL; |
3388 | goto out; |
3389 | } |
3390 | } |
3391 | |
3392 | ret = 0; |
3393 | |
3394 | out: |
3395 | kfree(decomp_output); |
3396 | kfree(output); |
3397 | return ret; |
3398 | } |
3399 | |
3400 | static int test_acomp(struct crypto_acomp *tfm, |
3401 | const struct comp_testvec *ctemplate, |
3402 | const struct comp_testvec *dtemplate, |
3403 | int ctcount, int dtcount) |
3404 | { |
3405 | const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm)); |
3406 | unsigned int i; |
3407 | char *output, *decomp_out; |
3408 | int ret; |
3409 | struct scatterlist src, dst; |
3410 | struct acomp_req *req; |
3411 | struct crypto_wait wait; |
3412 | |
3413 | output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL); |
3414 | if (!output) |
3415 | return -ENOMEM; |
3416 | |
3417 | decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL); |
3418 | if (!decomp_out) { |
3419 | kfree(output); |
3420 | return -ENOMEM; |
3421 | } |
3422 | |
3423 | for (i = 0; i < ctcount; i++) { |
3424 | unsigned int dlen = COMP_BUF_SIZE; |
3425 | int ilen = ctemplate[i].inlen; |
3426 | void *input_vec; |
3427 | |
3428 | input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL); |
3429 | if (!input_vec) { |
3430 | ret = -ENOMEM; |
3431 | goto out; |
3432 | } |
3433 | |
3434 | memset(output, 0, dlen); |
3435 | crypto_init_wait(&wait); |
3436 | sg_init_one(&src, input_vec, ilen); |
3437 | sg_init_one(&dst, output, dlen); |
3438 | |
3439 | req = acomp_request_alloc(tfm); |
3440 | if (!req) { |
3441 | pr_err("alg: acomp: request alloc failed for %s\n" , |
3442 | algo); |
3443 | kfree(input_vec); |
3444 | ret = -ENOMEM; |
3445 | goto out; |
3446 | } |
3447 | |
3448 | acomp_request_set_params(req, &src, &dst, ilen, dlen); |
3449 | acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
3450 | crypto_req_done, &wait); |
3451 | |
3452 | ret = crypto_wait_req(crypto_acomp_compress(req), &wait); |
3453 | if (ret) { |
3454 | pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n" , |
3455 | i + 1, algo, -ret); |
3456 | kfree(input_vec); |
3457 | acomp_request_free(req); |
3458 | goto out; |
3459 | } |
3460 | |
3461 | ilen = req->dlen; |
3462 | dlen = COMP_BUF_SIZE; |
3463 | sg_init_one(&src, output, ilen); |
3464 | sg_init_one(&dst, decomp_out, dlen); |
3465 | crypto_init_wait(&wait); |
3466 | acomp_request_set_params(req, &src, &dst, ilen, dlen); |
3467 | |
3468 | ret = crypto_wait_req(crypto_acomp_decompress(req), &wait); |
3469 | if (ret) { |
3470 | pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n" , |
3471 | i + 1, algo, -ret); |
3472 | kfree(input_vec); |
3473 | acomp_request_free(req); |
3474 | goto out; |
3475 | } |
3476 | |
3477 | if (req->dlen != ctemplate[i].inlen) { |
3478 | pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n" , |
3479 | i + 1, algo, req->dlen); |
3480 | ret = -EINVAL; |
3481 | kfree(input_vec); |
3482 | acomp_request_free(req); |
3483 | goto out; |
3484 | } |
3485 | |
3486 | if (memcmp(input_vec, decomp_out, req->dlen)) { |
3487 | pr_err("alg: acomp: Compression test %d failed for %s\n" , |
3488 | i + 1, algo); |
3489 | hexdump(output, req->dlen); |
3490 | ret = -EINVAL; |
3491 | kfree(input_vec); |
3492 | acomp_request_free(req); |
3493 | goto out; |
3494 | } |
3495 | |
3496 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
3497 | crypto_init_wait(&wait); |
3498 | sg_init_one(&src, input_vec, ilen); |
3499 | acomp_request_set_params(req, &src, NULL, ilen, 0); |
3500 | |
3501 | ret = crypto_wait_req(crypto_acomp_compress(req), &wait); |
3502 | if (ret) { |
3503 | pr_err("alg: acomp: compression failed on NULL dst buffer test %d for %s: ret=%d\n" , |
3504 | i + 1, algo, -ret); |
3505 | kfree(input_vec); |
3506 | acomp_request_free(req); |
3507 | goto out; |
3508 | } |
3509 | #endif |
3510 | |
3511 | kfree(input_vec); |
3512 | acomp_request_free(req); |
3513 | } |
3514 | |
3515 | for (i = 0; i < dtcount; i++) { |
3516 | unsigned int dlen = COMP_BUF_SIZE; |
3517 | int ilen = dtemplate[i].inlen; |
3518 | void *input_vec; |
3519 | |
3520 | input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL); |
3521 | if (!input_vec) { |
3522 | ret = -ENOMEM; |
3523 | goto out; |
3524 | } |
3525 | |
3526 | memset(output, 0, dlen); |
3527 | crypto_init_wait(&wait); |
3528 | sg_init_one(&src, input_vec, ilen); |
3529 | sg_init_one(&dst, output, dlen); |
3530 | |
3531 | req = acomp_request_alloc(tfm); |
3532 | if (!req) { |
3533 | pr_err("alg: acomp: request alloc failed for %s\n" , |
3534 | algo); |
3535 | kfree(input_vec); |
3536 | ret = -ENOMEM; |
3537 | goto out; |
3538 | } |
3539 | |
3540 | acomp_request_set_params(req, &src, &dst, ilen, dlen); |
3541 | acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
3542 | crypto_req_done, &wait); |
3543 | |
3544 | ret = crypto_wait_req(crypto_acomp_decompress(req), &wait); |
3545 | if (ret) { |
3546 | pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n" , |
3547 | i + 1, algo, -ret); |
3548 | kfree(input_vec); |
3549 | acomp_request_free(req); |
3550 | goto out; |
3551 | } |
3552 | |
3553 | if (req->dlen != dtemplate[i].outlen) { |
3554 | pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n" , |
3555 | i + 1, algo, req->dlen); |
3556 | ret = -EINVAL; |
3557 | kfree(input_vec); |
3558 | acomp_request_free(req); |
3559 | goto out; |
3560 | } |
3561 | |
3562 | if (memcmp(output, dtemplate[i].output, req->dlen)) { |
3563 | pr_err("alg: acomp: Decompression test %d failed for %s\n" , |
3564 | i + 1, algo); |
3565 | hexdump(output, req->dlen); |
3566 | ret = -EINVAL; |
3567 | kfree(input_vec); |
3568 | acomp_request_free(req); |
3569 | goto out; |
3570 | } |
3571 | |
3572 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
3573 | crypto_init_wait(&wait); |
3574 | acomp_request_set_params(req, &src, NULL, ilen, 0); |
3575 | |
3576 | ret = crypto_wait_req(crypto_acomp_decompress(req), &wait); |
3577 | if (ret) { |
3578 | pr_err("alg: acomp: decompression failed on NULL dst buffer test %d for %s: ret=%d\n" , |
3579 | i + 1, algo, -ret); |
3580 | kfree(input_vec); |
3581 | acomp_request_free(req); |
3582 | goto out; |
3583 | } |
3584 | #endif |
3585 | |
3586 | kfree(input_vec); |
3587 | acomp_request_free(req); |
3588 | } |
3589 | |
3590 | ret = 0; |
3591 | |
3592 | out: |
3593 | kfree(decomp_out); |
3594 | kfree(output); |
3595 | return ret; |
3596 | } |
3597 | |
3598 | static int test_cprng(struct crypto_rng *tfm, |
3599 | const struct cprng_testvec *template, |
3600 | unsigned int tcount) |
3601 | { |
3602 | const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm)); |
3603 | int err = 0, i, j, seedsize; |
3604 | u8 *seed; |
3605 | char result[32]; |
3606 | |
3607 | seedsize = crypto_rng_seedsize(tfm); |
3608 | |
3609 | seed = kmalloc(seedsize, GFP_KERNEL); |
3610 | if (!seed) { |
3611 | printk(KERN_ERR "alg: cprng: Failed to allocate seed space " |
3612 | "for %s\n" , algo); |
3613 | return -ENOMEM; |
3614 | } |
3615 | |
3616 | for (i = 0; i < tcount; i++) { |
3617 | memset(result, 0, 32); |
3618 | |
3619 | memcpy(seed, template[i].v, template[i].vlen); |
3620 | memcpy(seed + template[i].vlen, template[i].key, |
3621 | template[i].klen); |
3622 | memcpy(seed + template[i].vlen + template[i].klen, |
3623 | template[i].dt, template[i].dtlen); |
3624 | |
3625 | err = crypto_rng_reset(tfm, seed, seedsize); |
3626 | if (err) { |
3627 | printk(KERN_ERR "alg: cprng: Failed to reset rng " |
3628 | "for %s\n" , algo); |
3629 | goto out; |
3630 | } |
3631 | |
3632 | for (j = 0; j < template[i].loops; j++) { |
3633 | err = crypto_rng_get_bytes(tfm, result, |
3634 | template[i].rlen); |
3635 | if (err < 0) { |
3636 | printk(KERN_ERR "alg: cprng: Failed to obtain " |
3637 | "the correct amount of random data for " |
3638 | "%s (requested %d)\n" , algo, |
3639 | template[i].rlen); |
3640 | goto out; |
3641 | } |
3642 | } |
3643 | |
3644 | err = memcmp(result, template[i].result, |
3645 | template[i].rlen); |
3646 | if (err) { |
3647 | printk(KERN_ERR "alg: cprng: Test %d failed for %s\n" , |
3648 | i, algo); |
3649 | hexdump(result, template[i].rlen); |
3650 | err = -EINVAL; |
3651 | goto out; |
3652 | } |
3653 | } |
3654 | |
3655 | out: |
3656 | kfree(seed); |
3657 | return err; |
3658 | } |
3659 | |
3660 | static int alg_test_cipher(const struct alg_test_desc *desc, |
3661 | const char *driver, u32 type, u32 mask) |
3662 | { |
3663 | const struct cipher_test_suite *suite = &desc->suite.cipher; |
3664 | struct crypto_cipher *tfm; |
3665 | int err; |
3666 | |
3667 | tfm = crypto_alloc_cipher(driver, type, mask); |
3668 | if (IS_ERR(tfm)) { |
3669 | printk(KERN_ERR "alg: cipher: Failed to load transform for " |
3670 | "%s: %ld\n" , driver, PTR_ERR(tfm)); |
3671 | return PTR_ERR(tfm); |
3672 | } |
3673 | |
3674 | err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count); |
3675 | if (!err) |
3676 | err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count); |
3677 | |
3678 | crypto_free_cipher(tfm); |
3679 | return err; |
3680 | } |
3681 | |
3682 | static int alg_test_comp(const struct alg_test_desc *desc, const char *driver, |
3683 | u32 type, u32 mask) |
3684 | { |
3685 | struct crypto_comp *comp; |
3686 | struct crypto_acomp *acomp; |
3687 | int err; |
3688 | u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK; |
3689 | |
3690 | if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) { |
3691 | acomp = crypto_alloc_acomp(driver, type, mask); |
3692 | if (IS_ERR(acomp)) { |
3693 | pr_err("alg: acomp: Failed to load transform for %s: %ld\n" , |
3694 | driver, PTR_ERR(acomp)); |
3695 | return PTR_ERR(acomp); |
3696 | } |
3697 | err = test_acomp(acomp, desc->suite.comp.comp.vecs, |
3698 | desc->suite.comp.decomp.vecs, |
3699 | desc->suite.comp.comp.count, |
3700 | desc->suite.comp.decomp.count); |
3701 | crypto_free_acomp(acomp); |
3702 | } else { |
3703 | comp = crypto_alloc_comp(driver, type, mask); |
3704 | if (IS_ERR(comp)) { |
3705 | pr_err("alg: comp: Failed to load transform for %s: %ld\n" , |
3706 | driver, PTR_ERR(comp)); |
3707 | return PTR_ERR(comp); |
3708 | } |
3709 | |
3710 | err = test_comp(comp, desc->suite.comp.comp.vecs, |
3711 | desc->suite.comp.decomp.vecs, |
3712 | desc->suite.comp.comp.count, |
3713 | desc->suite.comp.decomp.count); |
3714 | |
3715 | crypto_free_comp(comp); |
3716 | } |
3717 | return err; |
3718 | } |
3719 | |
3720 | static int alg_test_crc32c(const struct alg_test_desc *desc, |
3721 | const char *driver, u32 type, u32 mask) |
3722 | { |
3723 | struct crypto_shash *tfm; |
3724 | __le32 val; |
3725 | int err; |
3726 | |
3727 | err = alg_test_hash(desc, driver, type, mask); |
3728 | if (err) |
3729 | return err; |
3730 | |
3731 | tfm = crypto_alloc_shash(driver, type, mask); |
3732 | if (IS_ERR(tfm)) { |
3733 | if (PTR_ERR(tfm) == -ENOENT) { |
3734 | /* |
3735 | * This crc32c implementation is only available through |
3736 | * ahash API, not the shash API, so the remaining part |
3737 | * of the test is not applicable to it. |
3738 | */ |
3739 | return 0; |
3740 | } |
3741 | printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: " |
3742 | "%ld\n" , driver, PTR_ERR(tfm)); |
3743 | return PTR_ERR(tfm); |
3744 | } |
3745 | driver = crypto_shash_driver_name(tfm); |
3746 | |
3747 | do { |
3748 | SHASH_DESC_ON_STACK(shash, tfm); |
3749 | u32 *ctx = (u32 *)shash_desc_ctx(shash); |
3750 | |
3751 | shash->tfm = tfm; |
3752 | |
3753 | *ctx = 420553207; |
3754 | err = crypto_shash_final(shash, (u8 *)&val); |
3755 | if (err) { |
3756 | printk(KERN_ERR "alg: crc32c: Operation failed for " |
3757 | "%s: %d\n" , driver, err); |
3758 | break; |
3759 | } |
3760 | |
3761 | if (val != cpu_to_le32(~420553207)) { |
3762 | pr_err("alg: crc32c: Test failed for %s: %u\n" , |
3763 | driver, le32_to_cpu(val)); |
3764 | err = -EINVAL; |
3765 | } |
3766 | } while (0); |
3767 | |
3768 | crypto_free_shash(tfm); |
3769 | |
3770 | return err; |
3771 | } |
3772 | |
3773 | static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver, |
3774 | u32 type, u32 mask) |
3775 | { |
3776 | struct crypto_rng *rng; |
3777 | int err; |
3778 | |
3779 | rng = crypto_alloc_rng(driver, type, mask); |
3780 | if (IS_ERR(rng)) { |
3781 | printk(KERN_ERR "alg: cprng: Failed to load transform for %s: " |
3782 | "%ld\n" , driver, PTR_ERR(rng)); |
3783 | return PTR_ERR(rng); |
3784 | } |
3785 | |
3786 | err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count); |
3787 | |
3788 | crypto_free_rng(rng); |
3789 | |
3790 | return err; |
3791 | } |
3792 | |
3793 | |
3794 | static int drbg_cavs_test(const struct drbg_testvec *test, int pr, |
3795 | const char *driver, u32 type, u32 mask) |
3796 | { |
3797 | int ret = -EAGAIN; |
3798 | struct crypto_rng *drng; |
3799 | struct drbg_test_data test_data; |
3800 | struct drbg_string addtl, pers, testentropy; |
3801 | unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL); |
3802 | |
3803 | if (!buf) |
3804 | return -ENOMEM; |
3805 | |
3806 | drng = crypto_alloc_rng(driver, type, mask); |
3807 | if (IS_ERR(drng)) { |
3808 | printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for " |
3809 | "%s\n" , driver); |
3810 | kfree_sensitive(buf); |
3811 | return -ENOMEM; |
3812 | } |
3813 | |
3814 | test_data.testentropy = &testentropy; |
3815 | drbg_string_fill(&testentropy, test->entropy, test->entropylen); |
3816 | drbg_string_fill(&pers, test->pers, test->perslen); |
3817 | ret = crypto_drbg_reset_test(drng, &pers, &test_data); |
3818 | if (ret) { |
3819 | printk(KERN_ERR "alg: drbg: Failed to reset rng\n" ); |
3820 | goto outbuf; |
3821 | } |
3822 | |
3823 | drbg_string_fill(&addtl, test->addtla, test->addtllen); |
3824 | if (pr) { |
3825 | drbg_string_fill(&testentropy, test->entpra, test->entprlen); |
3826 | ret = crypto_drbg_get_bytes_addtl_test(drng, |
3827 | buf, test->expectedlen, &addtl, &test_data); |
3828 | } else { |
3829 | ret = crypto_drbg_get_bytes_addtl(drng, |
3830 | buf, test->expectedlen, &addtl); |
3831 | } |
3832 | if (ret < 0) { |
3833 | printk(KERN_ERR "alg: drbg: could not obtain random data for " |
3834 | "driver %s\n" , driver); |
3835 | goto outbuf; |
3836 | } |
3837 | |
3838 | drbg_string_fill(&addtl, test->addtlb, test->addtllen); |
3839 | if (pr) { |
3840 | drbg_string_fill(&testentropy, test->entprb, test->entprlen); |
3841 | ret = crypto_drbg_get_bytes_addtl_test(drng, |
3842 | buf, test->expectedlen, &addtl, &test_data); |
3843 | } else { |
3844 | ret = crypto_drbg_get_bytes_addtl(drng, |
3845 | buf, test->expectedlen, &addtl); |
3846 | } |
3847 | if (ret < 0) { |
3848 | printk(KERN_ERR "alg: drbg: could not obtain random data for " |
3849 | "driver %s\n" , driver); |
3850 | goto outbuf; |
3851 | } |
3852 | |
3853 | ret = memcmp(test->expected, buf, test->expectedlen); |
3854 | |
3855 | outbuf: |
3856 | crypto_free_rng(drng); |
3857 | kfree_sensitive(buf); |
3858 | return ret; |
3859 | } |
3860 | |
3861 | |
3862 | static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver, |
3863 | u32 type, u32 mask) |
3864 | { |
3865 | int err = 0; |
3866 | int pr = 0; |
3867 | int i = 0; |
3868 | const struct drbg_testvec *template = desc->suite.drbg.vecs; |
3869 | unsigned int tcount = desc->suite.drbg.count; |
3870 | |
3871 | if (0 == memcmp(driver, "drbg_pr_" , 8)) |
3872 | pr = 1; |
3873 | |
3874 | for (i = 0; i < tcount; i++) { |
3875 | err = drbg_cavs_test(&template[i], pr, driver, type, mask); |
3876 | if (err) { |
3877 | printk(KERN_ERR "alg: drbg: Test %d failed for %s\n" , |
3878 | i, driver); |
3879 | err = -EINVAL; |
3880 | break; |
3881 | } |
3882 | } |
3883 | return err; |
3884 | |
3885 | } |
3886 | |
3887 | static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec, |
3888 | const char *alg) |
3889 | { |
3890 | struct kpp_request *req; |
3891 | void *input_buf = NULL; |
3892 | void *output_buf = NULL; |
3893 | void *a_public = NULL; |
3894 | void *a_ss = NULL; |
3895 | void *shared_secret = NULL; |
3896 | struct crypto_wait wait; |
3897 | unsigned int out_len_max; |
3898 | int err = -ENOMEM; |
3899 | struct scatterlist src, dst; |
3900 | |
3901 | req = kpp_request_alloc(tfm, GFP_KERNEL); |
3902 | if (!req) |
3903 | return err; |
3904 | |
3905 | crypto_init_wait(&wait); |
3906 | |
3907 | err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size); |
3908 | if (err < 0) |
3909 | goto free_req; |
3910 | |
3911 | out_len_max = crypto_kpp_maxsize(tfm); |
3912 | output_buf = kzalloc(out_len_max, GFP_KERNEL); |
3913 | if (!output_buf) { |
3914 | err = -ENOMEM; |
3915 | goto free_req; |
3916 | } |
3917 | |
3918 | /* Use appropriate parameter as base */ |
3919 | kpp_request_set_input(req, NULL, 0); |
3920 | sg_init_one(&dst, output_buf, out_len_max); |
3921 | kpp_request_set_output(req, &dst, out_len_max); |
3922 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
3923 | crypto_req_done, &wait); |
3924 | |
3925 | /* Compute party A's public key */ |
3926 | err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait); |
3927 | if (err) { |
3928 | pr_err("alg: %s: Party A: generate public key test failed. err %d\n" , |
3929 | alg, err); |
3930 | goto free_output; |
3931 | } |
3932 | |
3933 | if (vec->genkey) { |
3934 | /* Save party A's public key */ |
3935 | a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL); |
3936 | if (!a_public) { |
3937 | err = -ENOMEM; |
3938 | goto free_output; |
3939 | } |
3940 | } else { |
3941 | /* Verify calculated public key */ |
3942 | if (memcmp(vec->expected_a_public, sg_virt(req->dst), |
3943 | vec->expected_a_public_size)) { |
3944 | pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n" , |
3945 | alg); |
3946 | err = -EINVAL; |
3947 | goto free_output; |
3948 | } |
3949 | } |
3950 | |
3951 | /* Calculate shared secret key by using counter part (b) public key. */ |
3952 | input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL); |
3953 | if (!input_buf) { |
3954 | err = -ENOMEM; |
3955 | goto free_output; |
3956 | } |
3957 | |
3958 | sg_init_one(&src, input_buf, vec->b_public_size); |
3959 | sg_init_one(&dst, output_buf, out_len_max); |
3960 | kpp_request_set_input(req, &src, vec->b_public_size); |
3961 | kpp_request_set_output(req, &dst, out_len_max); |
3962 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
3963 | crypto_req_done, &wait); |
3964 | err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait); |
3965 | if (err) { |
3966 | pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n" , |
3967 | alg, err); |
3968 | goto free_all; |
3969 | } |
3970 | |
3971 | if (vec->genkey) { |
3972 | /* Save the shared secret obtained by party A */ |
3973 | a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL); |
3974 | if (!a_ss) { |
3975 | err = -ENOMEM; |
3976 | goto free_all; |
3977 | } |
3978 | |
3979 | /* |
3980 | * Calculate party B's shared secret by using party A's |
3981 | * public key. |
3982 | */ |
3983 | err = crypto_kpp_set_secret(tfm, vec->b_secret, |
3984 | vec->b_secret_size); |
3985 | if (err < 0) |
3986 | goto free_all; |
3987 | |
3988 | sg_init_one(&src, a_public, vec->expected_a_public_size); |
3989 | sg_init_one(&dst, output_buf, out_len_max); |
3990 | kpp_request_set_input(req, &src, vec->expected_a_public_size); |
3991 | kpp_request_set_output(req, &dst, out_len_max); |
3992 | kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
3993 | crypto_req_done, &wait); |
3994 | err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), |
3995 | &wait); |
3996 | if (err) { |
3997 | pr_err("alg: %s: Party B: compute shared secret failed. err %d\n" , |
3998 | alg, err); |
3999 | goto free_all; |
4000 | } |
4001 | |
4002 | shared_secret = a_ss; |
4003 | } else { |
4004 | shared_secret = (void *)vec->expected_ss; |
4005 | } |
4006 | |
4007 | /* |
4008 | * verify shared secret from which the user will derive |
4009 | * secret key by executing whatever hash it has chosen |
4010 | */ |
4011 | if (memcmp(shared_secret, sg_virt(req->dst), |
4012 | vec->expected_ss_size)) { |
4013 | pr_err("alg: %s: compute shared secret test failed. Invalid output\n" , |
4014 | alg); |
4015 | err = -EINVAL; |
4016 | } |
4017 | |
4018 | free_all: |
4019 | kfree(a_ss); |
4020 | kfree(input_buf); |
4021 | free_output: |
4022 | kfree(a_public); |
4023 | kfree(output_buf); |
4024 | free_req: |
4025 | kpp_request_free(req); |
4026 | return err; |
4027 | } |
4028 | |
4029 | static int test_kpp(struct crypto_kpp *tfm, const char *alg, |
4030 | const struct kpp_testvec *vecs, unsigned int tcount) |
4031 | { |
4032 | int ret, i; |
4033 | |
4034 | for (i = 0; i < tcount; i++) { |
4035 | ret = do_test_kpp(tfm, vecs++, alg); |
4036 | if (ret) { |
4037 | pr_err("alg: %s: test failed on vector %d, err=%d\n" , |
4038 | alg, i + 1, ret); |
4039 | return ret; |
4040 | } |
4041 | } |
4042 | return 0; |
4043 | } |
4044 | |
4045 | static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver, |
4046 | u32 type, u32 mask) |
4047 | { |
4048 | struct crypto_kpp *tfm; |
4049 | int err = 0; |
4050 | |
4051 | tfm = crypto_alloc_kpp(driver, type, mask); |
4052 | if (IS_ERR(tfm)) { |
4053 | pr_err("alg: kpp: Failed to load tfm for %s: %ld\n" , |
4054 | driver, PTR_ERR(tfm)); |
4055 | return PTR_ERR(tfm); |
4056 | } |
4057 | if (desc->suite.kpp.vecs) |
4058 | err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs, |
4059 | desc->suite.kpp.count); |
4060 | |
4061 | crypto_free_kpp(tfm); |
4062 | return err; |
4063 | } |
4064 | |
4065 | static u8 *test_pack_u32(u8 *dst, u32 val) |
4066 | { |
4067 | memcpy(dst, &val, sizeof(val)); |
4068 | return dst + sizeof(val); |
4069 | } |
4070 | |
4071 | static int test_akcipher_one(struct crypto_akcipher *tfm, |
4072 | const struct akcipher_testvec *vecs) |
4073 | { |
4074 | char *xbuf[XBUFSIZE]; |
4075 | struct akcipher_request *req; |
4076 | void *outbuf_enc = NULL; |
4077 | void *outbuf_dec = NULL; |
4078 | struct crypto_wait wait; |
4079 | unsigned int out_len_max, out_len = 0; |
4080 | int err = -ENOMEM; |
4081 | struct scatterlist src, dst, src_tab[3]; |
4082 | const char *m, *c; |
4083 | unsigned int m_size, c_size; |
4084 | const char *op; |
4085 | u8 *key, *ptr; |
4086 | |
4087 | if (testmgr_alloc_buf(xbuf)) |
4088 | return err; |
4089 | |
4090 | req = akcipher_request_alloc(tfm, GFP_KERNEL); |
4091 | if (!req) |
4092 | goto free_xbuf; |
4093 | |
4094 | crypto_init_wait(&wait); |
4095 | |
4096 | key = kmalloc(vecs->key_len + sizeof(u32) * 2 + vecs->param_len, |
4097 | GFP_KERNEL); |
4098 | if (!key) |
4099 | goto free_req; |
4100 | memcpy(key, vecs->key, vecs->key_len); |
4101 | ptr = key + vecs->key_len; |
4102 | ptr = test_pack_u32(ptr, vecs->algo); |
4103 | ptr = test_pack_u32(ptr, vecs->param_len); |
4104 | memcpy(ptr, vecs->params, vecs->param_len); |
4105 | |
4106 | if (vecs->public_key_vec) |
4107 | err = crypto_akcipher_set_pub_key(tfm, key, vecs->key_len); |
4108 | else |
4109 | err = crypto_akcipher_set_priv_key(tfm, key, vecs->key_len); |
4110 | if (err) |
4111 | goto free_key; |
4112 | |
4113 | /* |
4114 | * First run test which do not require a private key, such as |
4115 | * encrypt or verify. |
4116 | */ |
4117 | err = -ENOMEM; |
4118 | out_len_max = crypto_akcipher_maxsize(tfm); |
4119 | outbuf_enc = kzalloc(out_len_max, GFP_KERNEL); |
4120 | if (!outbuf_enc) |
4121 | goto free_key; |
4122 | |
4123 | if (!vecs->siggen_sigver_test) { |
4124 | m = vecs->m; |
4125 | m_size = vecs->m_size; |
4126 | c = vecs->c; |
4127 | c_size = vecs->c_size; |
4128 | op = "encrypt" ; |
4129 | } else { |
4130 | /* Swap args so we could keep plaintext (digest) |
4131 | * in vecs->m, and cooked signature in vecs->c. |
4132 | */ |
4133 | m = vecs->c; /* signature */ |
4134 | m_size = vecs->c_size; |
4135 | c = vecs->m; /* digest */ |
4136 | c_size = vecs->m_size; |
4137 | op = "verify" ; |
4138 | } |
4139 | |
4140 | err = -E2BIG; |
4141 | if (WARN_ON(m_size > PAGE_SIZE)) |
4142 | goto free_all; |
4143 | memcpy(xbuf[0], m, m_size); |
4144 | |
4145 | sg_init_table(src_tab, 3); |
4146 | sg_set_buf(&src_tab[0], xbuf[0], 8); |
4147 | sg_set_buf(&src_tab[1], xbuf[0] + 8, m_size - 8); |
4148 | if (vecs->siggen_sigver_test) { |
4149 | if (WARN_ON(c_size > PAGE_SIZE)) |
4150 | goto free_all; |
4151 | memcpy(xbuf[1], c, c_size); |
4152 | sg_set_buf(&src_tab[2], xbuf[1], c_size); |
4153 | akcipher_request_set_crypt(req, src_tab, NULL, m_size, c_size); |
4154 | } else { |
4155 | sg_init_one(&dst, outbuf_enc, out_len_max); |
4156 | akcipher_request_set_crypt(req, src_tab, &dst, m_size, |
4157 | out_len_max); |
4158 | } |
4159 | akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
4160 | crypto_req_done, &wait); |
4161 | |
4162 | err = crypto_wait_req(vecs->siggen_sigver_test ? |
4163 | /* Run asymmetric signature verification */ |
4164 | crypto_akcipher_verify(req) : |
4165 | /* Run asymmetric encrypt */ |
4166 | crypto_akcipher_encrypt(req), &wait); |
4167 | if (err) { |
4168 | pr_err("alg: akcipher: %s test failed. err %d\n" , op, err); |
4169 | goto free_all; |
4170 | } |
4171 | if (!vecs->siggen_sigver_test && c) { |
4172 | if (req->dst_len != c_size) { |
4173 | pr_err("alg: akcipher: %s test failed. Invalid output len\n" , |
4174 | op); |
4175 | err = -EINVAL; |
4176 | goto free_all; |
4177 | } |
4178 | /* verify that encrypted message is equal to expected */ |
4179 | if (memcmp(c, outbuf_enc, c_size) != 0) { |
4180 | pr_err("alg: akcipher: %s test failed. Invalid output\n" , |
4181 | op); |
4182 | hexdump(outbuf_enc, c_size); |
4183 | err = -EINVAL; |
4184 | goto free_all; |
4185 | } |
4186 | } |
4187 | |
4188 | /* |
4189 | * Don't invoke (decrypt or sign) test which require a private key |
4190 | * for vectors with only a public key. |
4191 | */ |
4192 | if (vecs->public_key_vec) { |
4193 | err = 0; |
4194 | goto free_all; |
4195 | } |
4196 | outbuf_dec = kzalloc(out_len_max, GFP_KERNEL); |
4197 | if (!outbuf_dec) { |
4198 | err = -ENOMEM; |
4199 | goto free_all; |
4200 | } |
4201 | |
4202 | if (!vecs->siggen_sigver_test && !c) { |
4203 | c = outbuf_enc; |
4204 | c_size = req->dst_len; |
4205 | } |
4206 | |
4207 | err = -E2BIG; |
4208 | op = vecs->siggen_sigver_test ? "sign" : "decrypt" ; |
4209 | if (WARN_ON(c_size > PAGE_SIZE)) |
4210 | goto free_all; |
4211 | memcpy(xbuf[0], c, c_size); |
4212 | |
4213 | sg_init_one(&src, xbuf[0], c_size); |
4214 | sg_init_one(&dst, outbuf_dec, out_len_max); |
4215 | crypto_init_wait(&wait); |
4216 | akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max); |
4217 | |
4218 | err = crypto_wait_req(vecs->siggen_sigver_test ? |
4219 | /* Run asymmetric signature generation */ |
4220 | crypto_akcipher_sign(req) : |
4221 | /* Run asymmetric decrypt */ |
4222 | crypto_akcipher_decrypt(req), &wait); |
4223 | if (err) { |
4224 | pr_err("alg: akcipher: %s test failed. err %d\n" , op, err); |
4225 | goto free_all; |
4226 | } |
4227 | out_len = req->dst_len; |
4228 | if (out_len < m_size) { |
4229 | pr_err("alg: akcipher: %s test failed. Invalid output len %u\n" , |
4230 | op, out_len); |
4231 | err = -EINVAL; |
4232 | goto free_all; |
4233 | } |
4234 | /* verify that decrypted message is equal to the original msg */ |
4235 | if (memchr_inv(outbuf_dec, 0, out_len - m_size) || |
4236 | memcmp(m, outbuf_dec + out_len - m_size, m_size)) { |
4237 | pr_err("alg: akcipher: %s test failed. Invalid output\n" , op); |
4238 | hexdump(outbuf_dec, out_len); |
4239 | err = -EINVAL; |
4240 | } |
4241 | free_all: |
4242 | kfree(outbuf_dec); |
4243 | kfree(outbuf_enc); |
4244 | free_key: |
4245 | kfree(key); |
4246 | free_req: |
4247 | akcipher_request_free(req); |
4248 | free_xbuf: |
4249 | testmgr_free_buf(xbuf); |
4250 | return err; |
4251 | } |
4252 | |
4253 | static int test_akcipher(struct crypto_akcipher *tfm, const char *alg, |
4254 | const struct akcipher_testvec *vecs, |
4255 | unsigned int tcount) |
4256 | { |
4257 | const char *algo = |
4258 | crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm)); |
4259 | int ret, i; |
4260 | |
4261 | for (i = 0; i < tcount; i++) { |
4262 | ret = test_akcipher_one(tfm, vecs++); |
4263 | if (!ret) |
4264 | continue; |
4265 | |
4266 | pr_err("alg: akcipher: test %d failed for %s, err=%d\n" , |
4267 | i + 1, algo, ret); |
4268 | return ret; |
4269 | } |
4270 | return 0; |
4271 | } |
4272 | |
4273 | static int alg_test_akcipher(const struct alg_test_desc *desc, |
4274 | const char *driver, u32 type, u32 mask) |
4275 | { |
4276 | struct crypto_akcipher *tfm; |
4277 | int err = 0; |
4278 | |
4279 | tfm = crypto_alloc_akcipher(driver, type, mask); |
4280 | if (IS_ERR(tfm)) { |
4281 | pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n" , |
4282 | driver, PTR_ERR(tfm)); |
4283 | return PTR_ERR(tfm); |
4284 | } |
4285 | if (desc->suite.akcipher.vecs) |
4286 | err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs, |
4287 | desc->suite.akcipher.count); |
4288 | |
4289 | crypto_free_akcipher(tfm); |
4290 | return err; |
4291 | } |
4292 | |
4293 | static int alg_test_null(const struct alg_test_desc *desc, |
4294 | const char *driver, u32 type, u32 mask) |
4295 | { |
4296 | return 0; |
4297 | } |
4298 | |
4299 | #define ____VECS(tv) .vecs = tv, .count = ARRAY_SIZE(tv) |
4300 | #define __VECS(tv) { ____VECS(tv) } |
4301 | |
4302 | /* Please keep this list sorted by algorithm name. */ |
4303 | static const struct alg_test_desc alg_test_descs[] = { |
4304 | { |
4305 | .alg = "adiantum(xchacha12,aes)" , |
4306 | .generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)" , |
4307 | .test = alg_test_skcipher, |
4308 | .suite = { |
4309 | .cipher = __VECS(adiantum_xchacha12_aes_tv_template) |
4310 | }, |
4311 | }, { |
4312 | .alg = "adiantum(xchacha20,aes)" , |
4313 | .generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)" , |
4314 | .test = alg_test_skcipher, |
4315 | .suite = { |
4316 | .cipher = __VECS(adiantum_xchacha20_aes_tv_template) |
4317 | }, |
4318 | }, { |
4319 | .alg = "aegis128" , |
4320 | .test = alg_test_aead, |
4321 | .suite = { |
4322 | .aead = __VECS(aegis128_tv_template) |
4323 | } |
4324 | }, { |
4325 | .alg = "ansi_cprng" , |
4326 | .test = alg_test_cprng, |
4327 | .suite = { |
4328 | .cprng = __VECS(ansi_cprng_aes_tv_template) |
4329 | } |
4330 | }, { |
4331 | .alg = "authenc(hmac(md5),ecb(cipher_null))" , |
4332 | .test = alg_test_aead, |
4333 | .suite = { |
4334 | .aead = __VECS(hmac_md5_ecb_cipher_null_tv_template) |
4335 | } |
4336 | }, { |
4337 | .alg = "authenc(hmac(sha1),cbc(aes))" , |
4338 | .test = alg_test_aead, |
4339 | .fips_allowed = 1, |
4340 | .suite = { |
4341 | .aead = __VECS(hmac_sha1_aes_cbc_tv_temp) |
4342 | } |
4343 | }, { |
4344 | .alg = "authenc(hmac(sha1),cbc(des))" , |
4345 | .test = alg_test_aead, |
4346 | .suite = { |
4347 | .aead = __VECS(hmac_sha1_des_cbc_tv_temp) |
4348 | } |
4349 | }, { |
4350 | .alg = "authenc(hmac(sha1),cbc(des3_ede))" , |
4351 | .test = alg_test_aead, |
4352 | .suite = { |
4353 | .aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp) |
4354 | } |
4355 | }, { |
4356 | .alg = "authenc(hmac(sha1),ctr(aes))" , |
4357 | .test = alg_test_null, |
4358 | .fips_allowed = 1, |
4359 | }, { |
4360 | .alg = "authenc(hmac(sha1),ecb(cipher_null))" , |
4361 | .test = alg_test_aead, |
4362 | .suite = { |
4363 | .aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp) |
4364 | } |
4365 | }, { |
4366 | .alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))" , |
4367 | .test = alg_test_null, |
4368 | .fips_allowed = 1, |
4369 | }, { |
4370 | .alg = "authenc(hmac(sha224),cbc(des))" , |
4371 | .test = alg_test_aead, |
4372 | .suite = { |
4373 | .aead = __VECS(hmac_sha224_des_cbc_tv_temp) |
4374 | } |
4375 | }, { |
4376 | .alg = "authenc(hmac(sha224),cbc(des3_ede))" , |
4377 | .test = alg_test_aead, |
4378 | .suite = { |
4379 | .aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp) |
4380 | } |
4381 | }, { |
4382 | .alg = "authenc(hmac(sha256),cbc(aes))" , |
4383 | .test = alg_test_aead, |
4384 | .fips_allowed = 1, |
4385 | .suite = { |
4386 | .aead = __VECS(hmac_sha256_aes_cbc_tv_temp) |
4387 | } |
4388 | }, { |
4389 | .alg = "authenc(hmac(sha256),cbc(des))" , |
4390 | .test = alg_test_aead, |
4391 | .suite = { |
4392 | .aead = __VECS(hmac_sha256_des_cbc_tv_temp) |
4393 | } |
4394 | }, { |
4395 | .alg = "authenc(hmac(sha256),cbc(des3_ede))" , |
4396 | .test = alg_test_aead, |
4397 | .suite = { |
4398 | .aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp) |
4399 | } |
4400 | }, { |
4401 | .alg = "authenc(hmac(sha256),ctr(aes))" , |
4402 | .test = alg_test_null, |
4403 | .fips_allowed = 1, |
4404 | }, { |
4405 | .alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))" , |
4406 | .test = alg_test_null, |
4407 | .fips_allowed = 1, |
4408 | }, { |
4409 | .alg = "authenc(hmac(sha384),cbc(des))" , |
4410 | .test = alg_test_aead, |
4411 | .suite = { |
4412 | .aead = __VECS(hmac_sha384_des_cbc_tv_temp) |
4413 | } |
4414 | }, { |
4415 | .alg = "authenc(hmac(sha384),cbc(des3_ede))" , |
4416 | .test = alg_test_aead, |
4417 | .suite = { |
4418 | .aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp) |
4419 | } |
4420 | }, { |
4421 | .alg = "authenc(hmac(sha384),ctr(aes))" , |
4422 | .test = alg_test_null, |
4423 | .fips_allowed = 1, |
4424 | }, { |
4425 | .alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))" , |
4426 | .test = alg_test_null, |
4427 | .fips_allowed = 1, |
4428 | }, { |
4429 | .alg = "authenc(hmac(sha512),cbc(aes))" , |
4430 | .fips_allowed = 1, |
4431 | .test = alg_test_aead, |
4432 | .suite = { |
4433 | .aead = __VECS(hmac_sha512_aes_cbc_tv_temp) |
4434 | } |
4435 | }, { |
4436 | .alg = "authenc(hmac(sha512),cbc(des))" , |
4437 | .test = alg_test_aead, |
4438 | .suite = { |
4439 | .aead = __VECS(hmac_sha512_des_cbc_tv_temp) |
4440 | } |
4441 | }, { |
4442 | .alg = "authenc(hmac(sha512),cbc(des3_ede))" , |
4443 | .test = alg_test_aead, |
4444 | .suite = { |
4445 | .aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp) |
4446 | } |
4447 | }, { |
4448 | .alg = "authenc(hmac(sha512),ctr(aes))" , |
4449 | .test = alg_test_null, |
4450 | .fips_allowed = 1, |
4451 | }, { |
4452 | .alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))" , |
4453 | .test = alg_test_null, |
4454 | .fips_allowed = 1, |
4455 | }, { |
4456 | .alg = "blake2b-160" , |
4457 | .test = alg_test_hash, |
4458 | .fips_allowed = 0, |
4459 | .suite = { |
4460 | .hash = __VECS(blake2b_160_tv_template) |
4461 | } |
4462 | }, { |
4463 | .alg = "blake2b-256" , |
4464 | .test = alg_test_hash, |
4465 | .fips_allowed = 0, |
4466 | .suite = { |
4467 | .hash = __VECS(blake2b_256_tv_template) |
4468 | } |
4469 | }, { |
4470 | .alg = "blake2b-384" , |
4471 | .test = alg_test_hash, |
4472 | .fips_allowed = 0, |
4473 | .suite = { |
4474 | .hash = __VECS(blake2b_384_tv_template) |
4475 | } |
4476 | }, { |
4477 | .alg = "blake2b-512" , |
4478 | .test = alg_test_hash, |
4479 | .fips_allowed = 0, |
4480 | .suite = { |
4481 | .hash = __VECS(blake2b_512_tv_template) |
4482 | } |
4483 | }, { |
4484 | .alg = "cbc(aes)" , |
4485 | .test = alg_test_skcipher, |
4486 | .fips_allowed = 1, |
4487 | .suite = { |
4488 | .cipher = __VECS(aes_cbc_tv_template) |
4489 | }, |
4490 | }, { |
4491 | .alg = "cbc(anubis)" , |
4492 | .test = alg_test_skcipher, |
4493 | .suite = { |
4494 | .cipher = __VECS(anubis_cbc_tv_template) |
4495 | }, |
4496 | }, { |
4497 | .alg = "cbc(aria)" , |
4498 | .test = alg_test_skcipher, |
4499 | .suite = { |
4500 | .cipher = __VECS(aria_cbc_tv_template) |
4501 | }, |
4502 | }, { |
4503 | .alg = "cbc(blowfish)" , |
4504 | .test = alg_test_skcipher, |
4505 | .suite = { |
4506 | .cipher = __VECS(bf_cbc_tv_template) |
4507 | }, |
4508 | }, { |
4509 | .alg = "cbc(camellia)" , |
4510 | .test = alg_test_skcipher, |
4511 | .suite = { |
4512 | .cipher = __VECS(camellia_cbc_tv_template) |
4513 | }, |
4514 | }, { |
4515 | .alg = "cbc(cast5)" , |
4516 | .test = alg_test_skcipher, |
4517 | .suite = { |
4518 | .cipher = __VECS(cast5_cbc_tv_template) |
4519 | }, |
4520 | }, { |
4521 | .alg = "cbc(cast6)" , |
4522 | .test = alg_test_skcipher, |
4523 | .suite = { |
4524 | .cipher = __VECS(cast6_cbc_tv_template) |
4525 | }, |
4526 | }, { |
4527 | .alg = "cbc(des)" , |
4528 | .test = alg_test_skcipher, |
4529 | .suite = { |
4530 | .cipher = __VECS(des_cbc_tv_template) |
4531 | }, |
4532 | }, { |
4533 | .alg = "cbc(des3_ede)" , |
4534 | .test = alg_test_skcipher, |
4535 | .suite = { |
4536 | .cipher = __VECS(des3_ede_cbc_tv_template) |
4537 | }, |
4538 | }, { |
4539 | /* Same as cbc(aes) except the key is stored in |
4540 | * hardware secure memory which we reference by index |
4541 | */ |
4542 | .alg = "cbc(paes)" , |
4543 | .test = alg_test_null, |
4544 | .fips_allowed = 1, |
4545 | }, { |
4546 | /* Same as cbc(sm4) except the key is stored in |
4547 | * hardware secure memory which we reference by index |
4548 | */ |
4549 | .alg = "cbc(psm4)" , |
4550 | .test = alg_test_null, |
4551 | }, { |
4552 | .alg = "cbc(serpent)" , |
4553 | .test = alg_test_skcipher, |
4554 | .suite = { |
4555 | .cipher = __VECS(serpent_cbc_tv_template) |
4556 | }, |
4557 | }, { |
4558 | .alg = "cbc(sm4)" , |
4559 | .test = alg_test_skcipher, |
4560 | .suite = { |
4561 | .cipher = __VECS(sm4_cbc_tv_template) |
4562 | } |
4563 | }, { |
4564 | .alg = "cbc(twofish)" , |
4565 | .test = alg_test_skcipher, |
4566 | .suite = { |
4567 | .cipher = __VECS(tf_cbc_tv_template) |
4568 | }, |
4569 | }, { |
4570 | #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390) |
4571 | .alg = "cbc-paes-s390" , |
4572 | .fips_allowed = 1, |
4573 | .test = alg_test_skcipher, |
4574 | .suite = { |
4575 | .cipher = __VECS(aes_cbc_tv_template) |
4576 | } |
4577 | }, { |
4578 | #endif |
4579 | .alg = "cbcmac(aes)" , |
4580 | .test = alg_test_hash, |
4581 | .suite = { |
4582 | .hash = __VECS(aes_cbcmac_tv_template) |
4583 | } |
4584 | }, { |
4585 | .alg = "cbcmac(sm4)" , |
4586 | .test = alg_test_hash, |
4587 | .suite = { |
4588 | .hash = __VECS(sm4_cbcmac_tv_template) |
4589 | } |
4590 | }, { |
4591 | .alg = "ccm(aes)" , |
4592 | .generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))" , |
4593 | .test = alg_test_aead, |
4594 | .fips_allowed = 1, |
4595 | .suite = { |
4596 | .aead = { |
4597 | ____VECS(aes_ccm_tv_template), |
4598 | .einval_allowed = 1, |
4599 | } |
4600 | } |
4601 | }, { |
4602 | .alg = "ccm(sm4)" , |
4603 | .generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))" , |
4604 | .test = alg_test_aead, |
4605 | .suite = { |
4606 | .aead = { |
4607 | ____VECS(sm4_ccm_tv_template), |
4608 | .einval_allowed = 1, |
4609 | } |
4610 | } |
4611 | }, { |
4612 | .alg = "cfb(aes)" , |
4613 | .test = alg_test_skcipher, |
4614 | .fips_allowed = 1, |
4615 | .suite = { |
4616 | .cipher = __VECS(aes_cfb_tv_template) |
4617 | }, |
4618 | }, { |
4619 | .alg = "cfb(aria)" , |
4620 | .test = alg_test_skcipher, |
4621 | .suite = { |
4622 | .cipher = __VECS(aria_cfb_tv_template) |
4623 | }, |
4624 | }, { |
4625 | .alg = "cfb(sm4)" , |
4626 | .test = alg_test_skcipher, |
4627 | .suite = { |
4628 | .cipher = __VECS(sm4_cfb_tv_template) |
4629 | } |
4630 | }, { |
4631 | .alg = "chacha20" , |
4632 | .test = alg_test_skcipher, |
4633 | .suite = { |
4634 | .cipher = __VECS(chacha20_tv_template) |
4635 | }, |
4636 | }, { |
4637 | .alg = "cmac(aes)" , |
4638 | .fips_allowed = 1, |
4639 | .test = alg_test_hash, |
4640 | .suite = { |
4641 | .hash = __VECS(aes_cmac128_tv_template) |
4642 | } |
4643 | }, { |
4644 | .alg = "cmac(camellia)" , |
4645 | .test = alg_test_hash, |
4646 | .suite = { |
4647 | .hash = __VECS(camellia_cmac128_tv_template) |
4648 | } |
4649 | }, { |
4650 | .alg = "cmac(des3_ede)" , |
4651 | .test = alg_test_hash, |
4652 | .suite = { |
4653 | .hash = __VECS(des3_ede_cmac64_tv_template) |
4654 | } |
4655 | }, { |
4656 | .alg = "cmac(sm4)" , |
4657 | .test = alg_test_hash, |
4658 | .suite = { |
4659 | .hash = __VECS(sm4_cmac128_tv_template) |
4660 | } |
4661 | }, { |
4662 | .alg = "compress_null" , |
4663 | .test = alg_test_null, |
4664 | }, { |
4665 | .alg = "crc32" , |
4666 | .test = alg_test_hash, |
4667 | .fips_allowed = 1, |
4668 | .suite = { |
4669 | .hash = __VECS(crc32_tv_template) |
4670 | } |
4671 | }, { |
4672 | .alg = "crc32c" , |
4673 | .test = alg_test_crc32c, |
4674 | .fips_allowed = 1, |
4675 | .suite = { |
4676 | .hash = __VECS(crc32c_tv_template) |
4677 | } |
4678 | }, { |
4679 | .alg = "crc64-rocksoft" , |
4680 | .test = alg_test_hash, |
4681 | .fips_allowed = 1, |
4682 | .suite = { |
4683 | .hash = __VECS(crc64_rocksoft_tv_template) |
4684 | } |
4685 | }, { |
4686 | .alg = "crct10dif" , |
4687 | .test = alg_test_hash, |
4688 | .fips_allowed = 1, |
4689 | .suite = { |
4690 | .hash = __VECS(crct10dif_tv_template) |
4691 | } |
4692 | }, { |
4693 | .alg = "ctr(aes)" , |
4694 | .test = alg_test_skcipher, |
4695 | .fips_allowed = 1, |
4696 | .suite = { |
4697 | .cipher = __VECS(aes_ctr_tv_template) |
4698 | } |
4699 | }, { |
4700 | .alg = "ctr(aria)" , |
4701 | .test = alg_test_skcipher, |
4702 | .suite = { |
4703 | .cipher = __VECS(aria_ctr_tv_template) |
4704 | } |
4705 | }, { |
4706 | .alg = "ctr(blowfish)" , |
4707 | .test = alg_test_skcipher, |
4708 | .suite = { |
4709 | .cipher = __VECS(bf_ctr_tv_template) |
4710 | } |
4711 | }, { |
4712 | .alg = "ctr(camellia)" , |
4713 | .test = alg_test_skcipher, |
4714 | .suite = { |
4715 | .cipher = __VECS(camellia_ctr_tv_template) |
4716 | } |
4717 | }, { |
4718 | .alg = "ctr(cast5)" , |
4719 | .test = alg_test_skcipher, |
4720 | .suite = { |
4721 | .cipher = __VECS(cast5_ctr_tv_template) |
4722 | } |
4723 | }, { |
4724 | .alg = "ctr(cast6)" , |
4725 | .test = alg_test_skcipher, |
4726 | .suite = { |
4727 | .cipher = __VECS(cast6_ctr_tv_template) |
4728 | } |
4729 | }, { |
4730 | .alg = "ctr(des)" , |
4731 | .test = alg_test_skcipher, |
4732 | .suite = { |
4733 | .cipher = __VECS(des_ctr_tv_template) |
4734 | } |
4735 | }, { |
4736 | .alg = "ctr(des3_ede)" , |
4737 | .test = alg_test_skcipher, |
4738 | .suite = { |
4739 | .cipher = __VECS(des3_ede_ctr_tv_template) |
4740 | } |
4741 | }, { |
4742 | /* Same as ctr(aes) except the key is stored in |
4743 | * hardware secure memory which we reference by index |
4744 | */ |
4745 | .alg = "ctr(paes)" , |
4746 | .test = alg_test_null, |
4747 | .fips_allowed = 1, |
4748 | }, { |
4749 | |
4750 | /* Same as ctr(sm4) except the key is stored in |
4751 | * hardware secure memory which we reference by index |
4752 | */ |
4753 | .alg = "ctr(psm4)" , |
4754 | .test = alg_test_null, |
4755 | }, { |
4756 | .alg = "ctr(serpent)" , |
4757 | .test = alg_test_skcipher, |
4758 | .suite = { |
4759 | .cipher = __VECS(serpent_ctr_tv_template) |
4760 | } |
4761 | }, { |
4762 | .alg = "ctr(sm4)" , |
4763 | .test = alg_test_skcipher, |
4764 | .suite = { |
4765 | .cipher = __VECS(sm4_ctr_tv_template) |
4766 | } |
4767 | }, { |
4768 | .alg = "ctr(twofish)" , |
4769 | .test = alg_test_skcipher, |
4770 | .suite = { |
4771 | .cipher = __VECS(tf_ctr_tv_template) |
4772 | } |
4773 | }, { |
4774 | #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390) |
4775 | .alg = "ctr-paes-s390" , |
4776 | .fips_allowed = 1, |
4777 | .test = alg_test_skcipher, |
4778 | .suite = { |
4779 | .cipher = __VECS(aes_ctr_tv_template) |
4780 | } |
4781 | }, { |
4782 | #endif |
4783 | .alg = "cts(cbc(aes))" , |
4784 | .test = alg_test_skcipher, |
4785 | .fips_allowed = 1, |
4786 | .suite = { |
4787 | .cipher = __VECS(cts_mode_tv_template) |
4788 | } |
4789 | }, { |
4790 | /* Same as cts(cbc((aes)) except the key is stored in |
4791 | * hardware secure memory which we reference by index |
4792 | */ |
4793 | .alg = "cts(cbc(paes))" , |
4794 | .test = alg_test_null, |
4795 | .fips_allowed = 1, |
4796 | }, { |
4797 | .alg = "cts(cbc(sm4))" , |
4798 | .test = alg_test_skcipher, |
4799 | .suite = { |
4800 | .cipher = __VECS(sm4_cts_tv_template) |
4801 | } |
4802 | }, { |
4803 | .alg = "curve25519" , |
4804 | .test = alg_test_kpp, |
4805 | .suite = { |
4806 | .kpp = __VECS(curve25519_tv_template) |
4807 | } |
4808 | }, { |
4809 | .alg = "deflate" , |
4810 | .test = alg_test_comp, |
4811 | .fips_allowed = 1, |
4812 | .suite = { |
4813 | .comp = { |
4814 | .comp = __VECS(deflate_comp_tv_template), |
4815 | .decomp = __VECS(deflate_decomp_tv_template) |
4816 | } |
4817 | } |
4818 | }, { |
4819 | .alg = "dh" , |
4820 | .test = alg_test_kpp, |
4821 | .suite = { |
4822 | .kpp = __VECS(dh_tv_template) |
4823 | } |
4824 | }, { |
4825 | .alg = "digest_null" , |
4826 | .test = alg_test_null, |
4827 | }, { |
4828 | .alg = "drbg_nopr_ctr_aes128" , |
4829 | .test = alg_test_drbg, |
4830 | .fips_allowed = 1, |
4831 | .suite = { |
4832 | .drbg = __VECS(drbg_nopr_ctr_aes128_tv_template) |
4833 | } |
4834 | }, { |
4835 | .alg = "drbg_nopr_ctr_aes192" , |
4836 | .test = alg_test_drbg, |
4837 | .fips_allowed = 1, |
4838 | .suite = { |
4839 | .drbg = __VECS(drbg_nopr_ctr_aes192_tv_template) |
4840 | } |
4841 | }, { |
4842 | .alg = "drbg_nopr_ctr_aes256" , |
4843 | .test = alg_test_drbg, |
4844 | .fips_allowed = 1, |
4845 | .suite = { |
4846 | .drbg = __VECS(drbg_nopr_ctr_aes256_tv_template) |
4847 | } |
4848 | }, { |
4849 | /* |
4850 | * There is no need to specifically test the DRBG with every |
4851 | * backend cipher -- covered by drbg_nopr_hmac_sha256 test |
4852 | */ |
4853 | .alg = "drbg_nopr_hmac_sha1" , |
4854 | .fips_allowed = 1, |
4855 | .test = alg_test_null, |
4856 | }, { |
4857 | .alg = "drbg_nopr_hmac_sha256" , |
4858 | .test = alg_test_drbg, |
4859 | .fips_allowed = 1, |
4860 | .suite = { |
4861 | .drbg = __VECS(drbg_nopr_hmac_sha256_tv_template) |
4862 | } |
4863 | }, { |
4864 | /* covered by drbg_nopr_hmac_sha256 test */ |
4865 | .alg = "drbg_nopr_hmac_sha384" , |
4866 | .test = alg_test_null, |
4867 | }, { |
4868 | .alg = "drbg_nopr_hmac_sha512" , |
4869 | .test = alg_test_drbg, |
4870 | .fips_allowed = 1, |
4871 | .suite = { |
4872 | .drbg = __VECS(drbg_nopr_hmac_sha512_tv_template) |
4873 | } |
4874 | }, { |
4875 | .alg = "drbg_nopr_sha1" , |
4876 | .fips_allowed = 1, |
4877 | .test = alg_test_null, |
4878 | }, { |
4879 | .alg = "drbg_nopr_sha256" , |
4880 | .test = alg_test_drbg, |
4881 | .fips_allowed = 1, |
4882 | .suite = { |
4883 | .drbg = __VECS(drbg_nopr_sha256_tv_template) |
4884 | } |
4885 | }, { |
4886 | /* covered by drbg_nopr_sha256 test */ |
4887 | .alg = "drbg_nopr_sha384" , |
4888 | .test = alg_test_null, |
4889 | }, { |
4890 | .alg = "drbg_nopr_sha512" , |
4891 | .fips_allowed = 1, |
4892 | .test = alg_test_null, |
4893 | }, { |
4894 | .alg = "drbg_pr_ctr_aes128" , |
4895 | .test = alg_test_drbg, |
4896 | .fips_allowed = 1, |
4897 | .suite = { |
4898 | .drbg = __VECS(drbg_pr_ctr_aes128_tv_template) |
4899 | } |
4900 | }, { |
4901 | /* covered by drbg_pr_ctr_aes128 test */ |
4902 | .alg = "drbg_pr_ctr_aes192" , |
4903 | .fips_allowed = 1, |
4904 | .test = alg_test_null, |
4905 | }, { |
4906 | .alg = "drbg_pr_ctr_aes256" , |
4907 | .fips_allowed = 1, |
4908 | .test = alg_test_null, |
4909 | }, { |
4910 | .alg = "drbg_pr_hmac_sha1" , |
4911 | .fips_allowed = 1, |
4912 | .test = alg_test_null, |
4913 | }, { |
4914 | .alg = "drbg_pr_hmac_sha256" , |
4915 | .test = alg_test_drbg, |
4916 | .fips_allowed = 1, |
4917 | .suite = { |
4918 | .drbg = __VECS(drbg_pr_hmac_sha256_tv_template) |
4919 | } |
4920 | }, { |
4921 | /* covered by drbg_pr_hmac_sha256 test */ |
4922 | .alg = "drbg_pr_hmac_sha384" , |
4923 | .test = alg_test_null, |
4924 | }, { |
4925 | .alg = "drbg_pr_hmac_sha512" , |
4926 | .test = alg_test_null, |
4927 | .fips_allowed = 1, |
4928 | }, { |
4929 | .alg = "drbg_pr_sha1" , |
4930 | .fips_allowed = 1, |
4931 | .test = alg_test_null, |
4932 | }, { |
4933 | .alg = "drbg_pr_sha256" , |
4934 | .test = alg_test_drbg, |
4935 | .fips_allowed = 1, |
4936 | .suite = { |
4937 | .drbg = __VECS(drbg_pr_sha256_tv_template) |
4938 | } |
4939 | }, { |
4940 | /* covered by drbg_pr_sha256 test */ |
4941 | .alg = "drbg_pr_sha384" , |
4942 | .test = alg_test_null, |
4943 | }, { |
4944 | .alg = "drbg_pr_sha512" , |
4945 | .fips_allowed = 1, |
4946 | .test = alg_test_null, |
4947 | }, { |
4948 | .alg = "ecb(aes)" , |
4949 | .test = alg_test_skcipher, |
4950 | .fips_allowed = 1, |
4951 | .suite = { |
4952 | .cipher = __VECS(aes_tv_template) |
4953 | } |
4954 | }, { |
4955 | .alg = "ecb(anubis)" , |
4956 | .test = alg_test_skcipher, |
4957 | .suite = { |
4958 | .cipher = __VECS(anubis_tv_template) |
4959 | } |
4960 | }, { |
4961 | .alg = "ecb(arc4)" , |
4962 | .generic_driver = "arc4-generic" , |
4963 | .test = alg_test_skcipher, |
4964 | .suite = { |
4965 | .cipher = __VECS(arc4_tv_template) |
4966 | } |
4967 | }, { |
4968 | .alg = "ecb(aria)" , |
4969 | .test = alg_test_skcipher, |
4970 | .suite = { |
4971 | .cipher = __VECS(aria_tv_template) |
4972 | } |
4973 | }, { |
4974 | .alg = "ecb(blowfish)" , |
4975 | .test = alg_test_skcipher, |
4976 | .suite = { |
4977 | .cipher = __VECS(bf_tv_template) |
4978 | } |
4979 | }, { |
4980 | .alg = "ecb(camellia)" , |
4981 | .test = alg_test_skcipher, |
4982 | .suite = { |
4983 | .cipher = __VECS(camellia_tv_template) |
4984 | } |
4985 | }, { |
4986 | .alg = "ecb(cast5)" , |
4987 | .test = alg_test_skcipher, |
4988 | .suite = { |
4989 | .cipher = __VECS(cast5_tv_template) |
4990 | } |
4991 | }, { |
4992 | .alg = "ecb(cast6)" , |
4993 | .test = alg_test_skcipher, |
4994 | .suite = { |
4995 | .cipher = __VECS(cast6_tv_template) |
4996 | } |
4997 | }, { |
4998 | .alg = "ecb(cipher_null)" , |
4999 | .test = alg_test_null, |
5000 | .fips_allowed = 1, |
5001 | }, { |
5002 | .alg = "ecb(des)" , |
5003 | .test = alg_test_skcipher, |
5004 | .suite = { |
5005 | .cipher = __VECS(des_tv_template) |
5006 | } |
5007 | }, { |
5008 | .alg = "ecb(des3_ede)" , |
5009 | .test = alg_test_skcipher, |
5010 | .suite = { |
5011 | .cipher = __VECS(des3_ede_tv_template) |
5012 | } |
5013 | }, { |
5014 | .alg = "ecb(fcrypt)" , |
5015 | .test = alg_test_skcipher, |
5016 | .suite = { |
5017 | .cipher = { |
5018 | .vecs = fcrypt_pcbc_tv_template, |
5019 | .count = 1 |
5020 | } |
5021 | } |
5022 | }, { |
5023 | .alg = "ecb(khazad)" , |
5024 | .test = alg_test_skcipher, |
5025 | .suite = { |
5026 | .cipher = __VECS(khazad_tv_template) |
5027 | } |
5028 | }, { |
5029 | /* Same as ecb(aes) except the key is stored in |
5030 | * hardware secure memory which we reference by index |
5031 | */ |
5032 | .alg = "ecb(paes)" , |
5033 | .test = alg_test_null, |
5034 | .fips_allowed = 1, |
5035 | }, { |
5036 | .alg = "ecb(seed)" , |
5037 | .test = alg_test_skcipher, |
5038 | .suite = { |
5039 | .cipher = __VECS(seed_tv_template) |
5040 | } |
5041 | }, { |
5042 | .alg = "ecb(serpent)" , |
5043 | .test = alg_test_skcipher, |
5044 | .suite = { |
5045 | .cipher = __VECS(serpent_tv_template) |
5046 | } |
5047 | }, { |
5048 | .alg = "ecb(sm4)" , |
5049 | .test = alg_test_skcipher, |
5050 | .suite = { |
5051 | .cipher = __VECS(sm4_tv_template) |
5052 | } |
5053 | }, { |
5054 | .alg = "ecb(tea)" , |
5055 | .test = alg_test_skcipher, |
5056 | .suite = { |
5057 | .cipher = __VECS(tea_tv_template) |
5058 | } |
5059 | }, { |
5060 | .alg = "ecb(twofish)" , |
5061 | .test = alg_test_skcipher, |
5062 | .suite = { |
5063 | .cipher = __VECS(tf_tv_template) |
5064 | } |
5065 | }, { |
5066 | .alg = "ecb(xeta)" , |
5067 | .test = alg_test_skcipher, |
5068 | .suite = { |
5069 | .cipher = __VECS(xeta_tv_template) |
5070 | } |
5071 | }, { |
5072 | .alg = "ecb(xtea)" , |
5073 | .test = alg_test_skcipher, |
5074 | .suite = { |
5075 | .cipher = __VECS(xtea_tv_template) |
5076 | } |
5077 | }, { |
5078 | #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390) |
5079 | .alg = "ecb-paes-s390" , |
5080 | .fips_allowed = 1, |
5081 | .test = alg_test_skcipher, |
5082 | .suite = { |
5083 | .cipher = __VECS(aes_tv_template) |
5084 | } |
5085 | }, { |
5086 | #endif |
5087 | .alg = "ecdh-nist-p192" , |
5088 | .test = alg_test_kpp, |
5089 | .suite = { |
5090 | .kpp = __VECS(ecdh_p192_tv_template) |
5091 | } |
5092 | }, { |
5093 | .alg = "ecdh-nist-p256" , |
5094 | .test = alg_test_kpp, |
5095 | .fips_allowed = 1, |
5096 | .suite = { |
5097 | .kpp = __VECS(ecdh_p256_tv_template) |
5098 | } |
5099 | }, { |
5100 | .alg = "ecdh-nist-p384" , |
5101 | .test = alg_test_kpp, |
5102 | .fips_allowed = 1, |
5103 | .suite = { |
5104 | .kpp = __VECS(ecdh_p384_tv_template) |
5105 | } |
5106 | }, { |
5107 | .alg = "ecdsa-nist-p192" , |
5108 | .test = alg_test_akcipher, |
5109 | .suite = { |
5110 | .akcipher = __VECS(ecdsa_nist_p192_tv_template) |
5111 | } |
5112 | }, { |
5113 | .alg = "ecdsa-nist-p256" , |
5114 | .test = alg_test_akcipher, |
5115 | .fips_allowed = 1, |
5116 | .suite = { |
5117 | .akcipher = __VECS(ecdsa_nist_p256_tv_template) |
5118 | } |
5119 | }, { |
5120 | .alg = "ecdsa-nist-p384" , |
5121 | .test = alg_test_akcipher, |
5122 | .fips_allowed = 1, |
5123 | .suite = { |
5124 | .akcipher = __VECS(ecdsa_nist_p384_tv_template) |
5125 | } |
5126 | }, { |
5127 | .alg = "ecrdsa" , |
5128 | .test = alg_test_akcipher, |
5129 | .suite = { |
5130 | .akcipher = __VECS(ecrdsa_tv_template) |
5131 | } |
5132 | }, { |
5133 | .alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)" , |
5134 | .test = alg_test_aead, |
5135 | .fips_allowed = 1, |
5136 | .suite = { |
5137 | .aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp) |
5138 | } |
5139 | }, { |
5140 | .alg = "essiv(cbc(aes),sha256)" , |
5141 | .test = alg_test_skcipher, |
5142 | .fips_allowed = 1, |
5143 | .suite = { |
5144 | .cipher = __VECS(essiv_aes_cbc_tv_template) |
5145 | } |
5146 | }, { |
5147 | #if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS) |
5148 | .alg = "ffdhe2048(dh)" , |
5149 | .test = alg_test_kpp, |
5150 | .fips_allowed = 1, |
5151 | .suite = { |
5152 | .kpp = __VECS(ffdhe2048_dh_tv_template) |
5153 | } |
5154 | }, { |
5155 | .alg = "ffdhe3072(dh)" , |
5156 | .test = alg_test_kpp, |
5157 | .fips_allowed = 1, |
5158 | .suite = { |
5159 | .kpp = __VECS(ffdhe3072_dh_tv_template) |
5160 | } |
5161 | }, { |
5162 | .alg = "ffdhe4096(dh)" , |
5163 | .test = alg_test_kpp, |
5164 | .fips_allowed = 1, |
5165 | .suite = { |
5166 | .kpp = __VECS(ffdhe4096_dh_tv_template) |
5167 | } |
5168 | }, { |
5169 | .alg = "ffdhe6144(dh)" , |
5170 | .test = alg_test_kpp, |
5171 | .fips_allowed = 1, |
5172 | .suite = { |
5173 | .kpp = __VECS(ffdhe6144_dh_tv_template) |
5174 | } |
5175 | }, { |
5176 | .alg = "ffdhe8192(dh)" , |
5177 | .test = alg_test_kpp, |
5178 | .fips_allowed = 1, |
5179 | .suite = { |
5180 | .kpp = __VECS(ffdhe8192_dh_tv_template) |
5181 | } |
5182 | }, { |
5183 | #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */ |
5184 | .alg = "gcm(aes)" , |
5185 | .generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)" , |
5186 | .test = alg_test_aead, |
5187 | .fips_allowed = 1, |
5188 | .suite = { |
5189 | .aead = __VECS(aes_gcm_tv_template) |
5190 | } |
5191 | }, { |
5192 | .alg = "gcm(aria)" , |
5193 | .generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)" , |
5194 | .test = alg_test_aead, |
5195 | .suite = { |
5196 | .aead = __VECS(aria_gcm_tv_template) |
5197 | } |
5198 | }, { |
5199 | .alg = "gcm(sm4)" , |
5200 | .generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)" , |
5201 | .test = alg_test_aead, |
5202 | .suite = { |
5203 | .aead = __VECS(sm4_gcm_tv_template) |
5204 | } |
5205 | }, { |
5206 | .alg = "ghash" , |
5207 | .test = alg_test_hash, |
5208 | .suite = { |
5209 | .hash = __VECS(ghash_tv_template) |
5210 | } |
5211 | }, { |
5212 | .alg = "hctr2(aes)" , |
5213 | .generic_driver = |
5214 | "hctr2_base(xctr(aes-generic),polyval-generic)" , |
5215 | .test = alg_test_skcipher, |
5216 | .suite = { |
5217 | .cipher = __VECS(aes_hctr2_tv_template) |
5218 | } |
5219 | }, { |
5220 | .alg = "hmac(md5)" , |
5221 | .test = alg_test_hash, |
5222 | .suite = { |
5223 | .hash = __VECS(hmac_md5_tv_template) |
5224 | } |
5225 | }, { |
5226 | .alg = "hmac(rmd160)" , |
5227 | .test = alg_test_hash, |
5228 | .suite = { |
5229 | .hash = __VECS(hmac_rmd160_tv_template) |
5230 | } |
5231 | }, { |
5232 | .alg = "hmac(sha1)" , |
5233 | .test = alg_test_hash, |
5234 | .fips_allowed = 1, |
5235 | .suite = { |
5236 | .hash = __VECS(hmac_sha1_tv_template) |
5237 | } |
5238 | }, { |
5239 | .alg = "hmac(sha224)" , |
5240 | .test = alg_test_hash, |
5241 | .fips_allowed = 1, |
5242 | .suite = { |
5243 | .hash = __VECS(hmac_sha224_tv_template) |
5244 | } |
5245 | }, { |
5246 | .alg = "hmac(sha256)" , |
5247 | .test = alg_test_hash, |
5248 | .fips_allowed = 1, |
5249 | .suite = { |
5250 | .hash = __VECS(hmac_sha256_tv_template) |
5251 | } |
5252 | }, { |
5253 | .alg = "hmac(sha3-224)" , |
5254 | .test = alg_test_hash, |
5255 | .fips_allowed = 1, |
5256 | .suite = { |
5257 | .hash = __VECS(hmac_sha3_224_tv_template) |
5258 | } |
5259 | }, { |
5260 | .alg = "hmac(sha3-256)" , |
5261 | .test = alg_test_hash, |
5262 | .fips_allowed = 1, |
5263 | .suite = { |
5264 | .hash = __VECS(hmac_sha3_256_tv_template) |
5265 | } |
5266 | }, { |
5267 | .alg = "hmac(sha3-384)" , |
5268 | .test = alg_test_hash, |
5269 | .fips_allowed = 1, |
5270 | .suite = { |
5271 | .hash = __VECS(hmac_sha3_384_tv_template) |
5272 | } |
5273 | }, { |
5274 | .alg = "hmac(sha3-512)" , |
5275 | .test = alg_test_hash, |
5276 | .fips_allowed = 1, |
5277 | .suite = { |
5278 | .hash = __VECS(hmac_sha3_512_tv_template) |
5279 | } |
5280 | }, { |
5281 | .alg = "hmac(sha384)" , |
5282 | .test = alg_test_hash, |
5283 | .fips_allowed = 1, |
5284 | .suite = { |
5285 | .hash = __VECS(hmac_sha384_tv_template) |
5286 | } |
5287 | }, { |
5288 | .alg = "hmac(sha512)" , |
5289 | .test = alg_test_hash, |
5290 | .fips_allowed = 1, |
5291 | .suite = { |
5292 | .hash = __VECS(hmac_sha512_tv_template) |
5293 | } |
5294 | }, { |
5295 | .alg = "hmac(sm3)" , |
5296 | .test = alg_test_hash, |
5297 | .suite = { |
5298 | .hash = __VECS(hmac_sm3_tv_template) |
5299 | } |
5300 | }, { |
5301 | .alg = "hmac(streebog256)" , |
5302 | .test = alg_test_hash, |
5303 | .suite = { |
5304 | .hash = __VECS(hmac_streebog256_tv_template) |
5305 | } |
5306 | }, { |
5307 | .alg = "hmac(streebog512)" , |
5308 | .test = alg_test_hash, |
5309 | .suite = { |
5310 | .hash = __VECS(hmac_streebog512_tv_template) |
5311 | } |
5312 | }, { |
5313 | .alg = "jitterentropy_rng" , |
5314 | .fips_allowed = 1, |
5315 | .test = alg_test_null, |
5316 | }, { |
5317 | .alg = "kw(aes)" , |
5318 | .test = alg_test_skcipher, |
5319 | .fips_allowed = 1, |
5320 | .suite = { |
5321 | .cipher = __VECS(aes_kw_tv_template) |
5322 | } |
5323 | }, { |
5324 | .alg = "lrw(aes)" , |
5325 | .generic_driver = "lrw(ecb(aes-generic))" , |
5326 | .test = alg_test_skcipher, |
5327 | .suite = { |
5328 | .cipher = __VECS(aes_lrw_tv_template) |
5329 | } |
5330 | }, { |
5331 | .alg = "lrw(camellia)" , |
5332 | .generic_driver = "lrw(ecb(camellia-generic))" , |
5333 | .test = alg_test_skcipher, |
5334 | .suite = { |
5335 | .cipher = __VECS(camellia_lrw_tv_template) |
5336 | } |
5337 | }, { |
5338 | .alg = "lrw(cast6)" , |
5339 | .generic_driver = "lrw(ecb(cast6-generic))" , |
5340 | .test = alg_test_skcipher, |
5341 | .suite = { |
5342 | .cipher = __VECS(cast6_lrw_tv_template) |
5343 | } |
5344 | }, { |
5345 | .alg = "lrw(serpent)" , |
5346 | .generic_driver = "lrw(ecb(serpent-generic))" , |
5347 | .test = alg_test_skcipher, |
5348 | .suite = { |
5349 | .cipher = __VECS(serpent_lrw_tv_template) |
5350 | } |
5351 | }, { |
5352 | .alg = "lrw(twofish)" , |
5353 | .generic_driver = "lrw(ecb(twofish-generic))" , |
5354 | .test = alg_test_skcipher, |
5355 | .suite = { |
5356 | .cipher = __VECS(tf_lrw_tv_template) |
5357 | } |
5358 | }, { |
5359 | .alg = "lz4" , |
5360 | .test = alg_test_comp, |
5361 | .fips_allowed = 1, |
5362 | .suite = { |
5363 | .comp = { |
5364 | .comp = __VECS(lz4_comp_tv_template), |
5365 | .decomp = __VECS(lz4_decomp_tv_template) |
5366 | } |
5367 | } |
5368 | }, { |
5369 | .alg = "lz4hc" , |
5370 | .test = alg_test_comp, |
5371 | .fips_allowed = 1, |
5372 | .suite = { |
5373 | .comp = { |
5374 | .comp = __VECS(lz4hc_comp_tv_template), |
5375 | .decomp = __VECS(lz4hc_decomp_tv_template) |
5376 | } |
5377 | } |
5378 | }, { |
5379 | .alg = "lzo" , |
5380 | .test = alg_test_comp, |
5381 | .fips_allowed = 1, |
5382 | .suite = { |
5383 | .comp = { |
5384 | .comp = __VECS(lzo_comp_tv_template), |
5385 | .decomp = __VECS(lzo_decomp_tv_template) |
5386 | } |
5387 | } |
5388 | }, { |
5389 | .alg = "lzo-rle" , |
5390 | .test = alg_test_comp, |
5391 | .fips_allowed = 1, |
5392 | .suite = { |
5393 | .comp = { |
5394 | .comp = __VECS(lzorle_comp_tv_template), |
5395 | .decomp = __VECS(lzorle_decomp_tv_template) |
5396 | } |
5397 | } |
5398 | }, { |
5399 | .alg = "md4" , |
5400 | .test = alg_test_hash, |
5401 | .suite = { |
5402 | .hash = __VECS(md4_tv_template) |
5403 | } |
5404 | }, { |
5405 | .alg = "md5" , |
5406 | .test = alg_test_hash, |
5407 | .suite = { |
5408 | .hash = __VECS(md5_tv_template) |
5409 | } |
5410 | }, { |
5411 | .alg = "michael_mic" , |
5412 | .test = alg_test_hash, |
5413 | .suite = { |
5414 | .hash = __VECS(michael_mic_tv_template) |
5415 | } |
5416 | }, { |
5417 | .alg = "nhpoly1305" , |
5418 | .test = alg_test_hash, |
5419 | .suite = { |
5420 | .hash = __VECS(nhpoly1305_tv_template) |
5421 | } |
5422 | }, { |
5423 | .alg = "ofb(aes)" , |
5424 | .test = alg_test_skcipher, |
5425 | .fips_allowed = 1, |
5426 | .suite = { |
5427 | .cipher = __VECS(aes_ofb_tv_template) |
5428 | } |
5429 | }, { |
5430 | /* Same as ofb(aes) except the key is stored in |
5431 | * hardware secure memory which we reference by index |
5432 | */ |
5433 | .alg = "ofb(paes)" , |
5434 | .test = alg_test_null, |
5435 | .fips_allowed = 1, |
5436 | }, { |
5437 | .alg = "ofb(sm4)" , |
5438 | .test = alg_test_skcipher, |
5439 | .suite = { |
5440 | .cipher = __VECS(sm4_ofb_tv_template) |
5441 | } |
5442 | }, { |
5443 | .alg = "pcbc(fcrypt)" , |
5444 | .test = alg_test_skcipher, |
5445 | .suite = { |
5446 | .cipher = __VECS(fcrypt_pcbc_tv_template) |
5447 | } |
5448 | }, { |
5449 | .alg = "pkcs1pad(rsa,sha224)" , |
5450 | .test = alg_test_null, |
5451 | .fips_allowed = 1, |
5452 | }, { |
5453 | .alg = "pkcs1pad(rsa,sha256)" , |
5454 | .test = alg_test_akcipher, |
5455 | .fips_allowed = 1, |
5456 | .suite = { |
5457 | .akcipher = __VECS(pkcs1pad_rsa_tv_template) |
5458 | } |
5459 | }, { |
5460 | .alg = "pkcs1pad(rsa,sha3-256)" , |
5461 | .test = alg_test_null, |
5462 | .fips_allowed = 1, |
5463 | }, { |
5464 | .alg = "pkcs1pad(rsa,sha3-384)" , |
5465 | .test = alg_test_null, |
5466 | .fips_allowed = 1, |
5467 | }, { |
5468 | .alg = "pkcs1pad(rsa,sha3-512)" , |
5469 | .test = alg_test_null, |
5470 | .fips_allowed = 1, |
5471 | }, { |
5472 | .alg = "pkcs1pad(rsa,sha384)" , |
5473 | .test = alg_test_null, |
5474 | .fips_allowed = 1, |
5475 | }, { |
5476 | .alg = "pkcs1pad(rsa,sha512)" , |
5477 | .test = alg_test_null, |
5478 | .fips_allowed = 1, |
5479 | }, { |
5480 | .alg = "poly1305" , |
5481 | .test = alg_test_hash, |
5482 | .suite = { |
5483 | .hash = __VECS(poly1305_tv_template) |
5484 | } |
5485 | }, { |
5486 | .alg = "polyval" , |
5487 | .test = alg_test_hash, |
5488 | .suite = { |
5489 | .hash = __VECS(polyval_tv_template) |
5490 | } |
5491 | }, { |
5492 | .alg = "rfc3686(ctr(aes))" , |
5493 | .test = alg_test_skcipher, |
5494 | .fips_allowed = 1, |
5495 | .suite = { |
5496 | .cipher = __VECS(aes_ctr_rfc3686_tv_template) |
5497 | } |
5498 | }, { |
5499 | .alg = "rfc3686(ctr(sm4))" , |
5500 | .test = alg_test_skcipher, |
5501 | .suite = { |
5502 | .cipher = __VECS(sm4_ctr_rfc3686_tv_template) |
5503 | } |
5504 | }, { |
5505 | .alg = "rfc4106(gcm(aes))" , |
5506 | .generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))" , |
5507 | .test = alg_test_aead, |
5508 | .fips_allowed = 1, |
5509 | .suite = { |
5510 | .aead = { |
5511 | ____VECS(aes_gcm_rfc4106_tv_template), |
5512 | .einval_allowed = 1, |
5513 | .aad_iv = 1, |
5514 | } |
5515 | } |
5516 | }, { |
5517 | .alg = "rfc4309(ccm(aes))" , |
5518 | .generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))" , |
5519 | .test = alg_test_aead, |
5520 | .fips_allowed = 1, |
5521 | .suite = { |
5522 | .aead = { |
5523 | ____VECS(aes_ccm_rfc4309_tv_template), |
5524 | .einval_allowed = 1, |
5525 | .aad_iv = 1, |
5526 | } |
5527 | } |
5528 | }, { |
5529 | .alg = "rfc4543(gcm(aes))" , |
5530 | .generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))" , |
5531 | .test = alg_test_aead, |
5532 | .suite = { |
5533 | .aead = { |
5534 | ____VECS(aes_gcm_rfc4543_tv_template), |
5535 | .einval_allowed = 1, |
5536 | .aad_iv = 1, |
5537 | } |
5538 | } |
5539 | }, { |
5540 | .alg = "rfc7539(chacha20,poly1305)" , |
5541 | .test = alg_test_aead, |
5542 | .suite = { |
5543 | .aead = __VECS(rfc7539_tv_template) |
5544 | } |
5545 | }, { |
5546 | .alg = "rfc7539esp(chacha20,poly1305)" , |
5547 | .test = alg_test_aead, |
5548 | .suite = { |
5549 | .aead = { |
5550 | ____VECS(rfc7539esp_tv_template), |
5551 | .einval_allowed = 1, |
5552 | .aad_iv = 1, |
5553 | } |
5554 | } |
5555 | }, { |
5556 | .alg = "rmd160" , |
5557 | .test = alg_test_hash, |
5558 | .suite = { |
5559 | .hash = __VECS(rmd160_tv_template) |
5560 | } |
5561 | }, { |
5562 | .alg = "rsa" , |
5563 | .test = alg_test_akcipher, |
5564 | .fips_allowed = 1, |
5565 | .suite = { |
5566 | .akcipher = __VECS(rsa_tv_template) |
5567 | } |
5568 | }, { |
5569 | .alg = "sha1" , |
5570 | .test = alg_test_hash, |
5571 | .fips_allowed = 1, |
5572 | .suite = { |
5573 | .hash = __VECS(sha1_tv_template) |
5574 | } |
5575 | }, { |
5576 | .alg = "sha224" , |
5577 | .test = alg_test_hash, |
5578 | .fips_allowed = 1, |
5579 | .suite = { |
5580 | .hash = __VECS(sha224_tv_template) |
5581 | } |
5582 | }, { |
5583 | .alg = "sha256" , |
5584 | .test = alg_test_hash, |
5585 | .fips_allowed = 1, |
5586 | .suite = { |
5587 | .hash = __VECS(sha256_tv_template) |
5588 | } |
5589 | }, { |
5590 | .alg = "sha3-224" , |
5591 | .test = alg_test_hash, |
5592 | .fips_allowed = 1, |
5593 | .suite = { |
5594 | .hash = __VECS(sha3_224_tv_template) |
5595 | } |
5596 | }, { |
5597 | .alg = "sha3-256" , |
5598 | .test = alg_test_hash, |
5599 | .fips_allowed = 1, |
5600 | .suite = { |
5601 | .hash = __VECS(sha3_256_tv_template) |
5602 | } |
5603 | }, { |
5604 | .alg = "sha3-384" , |
5605 | .test = alg_test_hash, |
5606 | .fips_allowed = 1, |
5607 | .suite = { |
5608 | .hash = __VECS(sha3_384_tv_template) |
5609 | } |
5610 | }, { |
5611 | .alg = "sha3-512" , |
5612 | .test = alg_test_hash, |
5613 | .fips_allowed = 1, |
5614 | .suite = { |
5615 | .hash = __VECS(sha3_512_tv_template) |
5616 | } |
5617 | }, { |
5618 | .alg = "sha384" , |
5619 | .test = alg_test_hash, |
5620 | .fips_allowed = 1, |
5621 | .suite = { |
5622 | .hash = __VECS(sha384_tv_template) |
5623 | } |
5624 | }, { |
5625 | .alg = "sha512" , |
5626 | .test = alg_test_hash, |
5627 | .fips_allowed = 1, |
5628 | .suite = { |
5629 | .hash = __VECS(sha512_tv_template) |
5630 | } |
5631 | }, { |
5632 | .alg = "sm2" , |
5633 | .test = alg_test_akcipher, |
5634 | .suite = { |
5635 | .akcipher = __VECS(sm2_tv_template) |
5636 | } |
5637 | }, { |
5638 | .alg = "sm3" , |
5639 | .test = alg_test_hash, |
5640 | .suite = { |
5641 | .hash = __VECS(sm3_tv_template) |
5642 | } |
5643 | }, { |
5644 | .alg = "streebog256" , |
5645 | .test = alg_test_hash, |
5646 | .suite = { |
5647 | .hash = __VECS(streebog256_tv_template) |
5648 | } |
5649 | }, { |
5650 | .alg = "streebog512" , |
5651 | .test = alg_test_hash, |
5652 | .suite = { |
5653 | .hash = __VECS(streebog512_tv_template) |
5654 | } |
5655 | }, { |
5656 | .alg = "vmac64(aes)" , |
5657 | .test = alg_test_hash, |
5658 | .suite = { |
5659 | .hash = __VECS(vmac64_aes_tv_template) |
5660 | } |
5661 | }, { |
5662 | .alg = "wp256" , |
5663 | .test = alg_test_hash, |
5664 | .suite = { |
5665 | .hash = __VECS(wp256_tv_template) |
5666 | } |
5667 | }, { |
5668 | .alg = "wp384" , |
5669 | .test = alg_test_hash, |
5670 | .suite = { |
5671 | .hash = __VECS(wp384_tv_template) |
5672 | } |
5673 | }, { |
5674 | .alg = "wp512" , |
5675 | .test = alg_test_hash, |
5676 | .suite = { |
5677 | .hash = __VECS(wp512_tv_template) |
5678 | } |
5679 | }, { |
5680 | .alg = "xcbc(aes)" , |
5681 | .test = alg_test_hash, |
5682 | .suite = { |
5683 | .hash = __VECS(aes_xcbc128_tv_template) |
5684 | } |
5685 | }, { |
5686 | .alg = "xcbc(sm4)" , |
5687 | .test = alg_test_hash, |
5688 | .suite = { |
5689 | .hash = __VECS(sm4_xcbc128_tv_template) |
5690 | } |
5691 | }, { |
5692 | .alg = "xchacha12" , |
5693 | .test = alg_test_skcipher, |
5694 | .suite = { |
5695 | .cipher = __VECS(xchacha12_tv_template) |
5696 | }, |
5697 | }, { |
5698 | .alg = "xchacha20" , |
5699 | .test = alg_test_skcipher, |
5700 | .suite = { |
5701 | .cipher = __VECS(xchacha20_tv_template) |
5702 | }, |
5703 | }, { |
5704 | .alg = "xctr(aes)" , |
5705 | .test = alg_test_skcipher, |
5706 | .suite = { |
5707 | .cipher = __VECS(aes_xctr_tv_template) |
5708 | } |
5709 | }, { |
5710 | .alg = "xts(aes)" , |
5711 | .generic_driver = "xts(ecb(aes-generic))" , |
5712 | .test = alg_test_skcipher, |
5713 | .fips_allowed = 1, |
5714 | .suite = { |
5715 | .cipher = __VECS(aes_xts_tv_template) |
5716 | } |
5717 | }, { |
5718 | .alg = "xts(camellia)" , |
5719 | .generic_driver = "xts(ecb(camellia-generic))" , |
5720 | .test = alg_test_skcipher, |
5721 | .suite = { |
5722 | .cipher = __VECS(camellia_xts_tv_template) |
5723 | } |
5724 | }, { |
5725 | .alg = "xts(cast6)" , |
5726 | .generic_driver = "xts(ecb(cast6-generic))" , |
5727 | .test = alg_test_skcipher, |
5728 | .suite = { |
5729 | .cipher = __VECS(cast6_xts_tv_template) |
5730 | } |
5731 | }, { |
5732 | /* Same as xts(aes) except the key is stored in |
5733 | * hardware secure memory which we reference by index |
5734 | */ |
5735 | .alg = "xts(paes)" , |
5736 | .test = alg_test_null, |
5737 | .fips_allowed = 1, |
5738 | }, { |
5739 | .alg = "xts(serpent)" , |
5740 | .generic_driver = "xts(ecb(serpent-generic))" , |
5741 | .test = alg_test_skcipher, |
5742 | .suite = { |
5743 | .cipher = __VECS(serpent_xts_tv_template) |
5744 | } |
5745 | }, { |
5746 | .alg = "xts(sm4)" , |
5747 | .generic_driver = "xts(ecb(sm4-generic))" , |
5748 | .test = alg_test_skcipher, |
5749 | .suite = { |
5750 | .cipher = __VECS(sm4_xts_tv_template) |
5751 | } |
5752 | }, { |
5753 | .alg = "xts(twofish)" , |
5754 | .generic_driver = "xts(ecb(twofish-generic))" , |
5755 | .test = alg_test_skcipher, |
5756 | .suite = { |
5757 | .cipher = __VECS(tf_xts_tv_template) |
5758 | } |
5759 | }, { |
5760 | #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390) |
5761 | .alg = "xts-paes-s390" , |
5762 | .fips_allowed = 1, |
5763 | .test = alg_test_skcipher, |
5764 | .suite = { |
5765 | .cipher = __VECS(aes_xts_tv_template) |
5766 | } |
5767 | }, { |
5768 | #endif |
5769 | .alg = "xts4096(paes)" , |
5770 | .test = alg_test_null, |
5771 | .fips_allowed = 1, |
5772 | }, { |
5773 | .alg = "xts512(paes)" , |
5774 | .test = alg_test_null, |
5775 | .fips_allowed = 1, |
5776 | }, { |
5777 | .alg = "xxhash64" , |
5778 | .test = alg_test_hash, |
5779 | .fips_allowed = 1, |
5780 | .suite = { |
5781 | .hash = __VECS(xxhash64_tv_template) |
5782 | } |
5783 | }, { |
5784 | .alg = "zstd" , |
5785 | .test = alg_test_comp, |
5786 | .fips_allowed = 1, |
5787 | .suite = { |
5788 | .comp = { |
5789 | .comp = __VECS(zstd_comp_tv_template), |
5790 | .decomp = __VECS(zstd_decomp_tv_template) |
5791 | } |
5792 | } |
5793 | } |
5794 | }; |
5795 | |
5796 | static void alg_check_test_descs_order(void) |
5797 | { |
5798 | int i; |
5799 | |
5800 | for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) { |
5801 | int diff = strcmp(alg_test_descs[i - 1].alg, |
5802 | alg_test_descs[i].alg); |
5803 | |
5804 | if (WARN_ON(diff > 0)) { |
5805 | pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n" , |
5806 | alg_test_descs[i - 1].alg, |
5807 | alg_test_descs[i].alg); |
5808 | } |
5809 | |
5810 | if (WARN_ON(diff == 0)) { |
5811 | pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n" , |
5812 | alg_test_descs[i].alg); |
5813 | } |
5814 | } |
5815 | } |
5816 | |
5817 | static void alg_check_testvec_configs(void) |
5818 | { |
5819 | int i; |
5820 | |
5821 | for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) |
5822 | WARN_ON(!valid_testvec_config( |
5823 | &default_cipher_testvec_configs[i])); |
5824 | |
5825 | for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) |
5826 | WARN_ON(!valid_testvec_config( |
5827 | &default_hash_testvec_configs[i])); |
5828 | } |
5829 | |
5830 | static void testmgr_onetime_init(void) |
5831 | { |
5832 | alg_check_test_descs_order(); |
5833 | alg_check_testvec_configs(); |
5834 | |
5835 | #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS |
5836 | pr_warn("alg: extra crypto tests enabled. This is intended for developer use only.\n" ); |
5837 | #endif |
5838 | } |
5839 | |
5840 | static int alg_find_test(const char *alg) |
5841 | { |
5842 | int start = 0; |
5843 | int end = ARRAY_SIZE(alg_test_descs); |
5844 | |
5845 | while (start < end) { |
5846 | int i = (start + end) / 2; |
5847 | int diff = strcmp(alg_test_descs[i].alg, alg); |
5848 | |
5849 | if (diff > 0) { |
5850 | end = i; |
5851 | continue; |
5852 | } |
5853 | |
5854 | if (diff < 0) { |
5855 | start = i + 1; |
5856 | continue; |
5857 | } |
5858 | |
5859 | return i; |
5860 | } |
5861 | |
5862 | return -1; |
5863 | } |
5864 | |
5865 | static int alg_fips_disabled(const char *driver, const char *alg) |
5866 | { |
5867 | pr_info("alg: %s (%s) is disabled due to FIPS\n" , alg, driver); |
5868 | |
5869 | return -ECANCELED; |
5870 | } |
5871 | |
5872 | int alg_test(const char *driver, const char *alg, u32 type, u32 mask) |
5873 | { |
5874 | int i; |
5875 | int j; |
5876 | int rc; |
5877 | |
5878 | if (!fips_enabled && notests) { |
5879 | printk_once(KERN_INFO "alg: self-tests disabled\n" ); |
5880 | return 0; |
5881 | } |
5882 | |
5883 | DO_ONCE(testmgr_onetime_init); |
5884 | |
5885 | if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) { |
5886 | char nalg[CRYPTO_MAX_ALG_NAME]; |
5887 | |
5888 | if (snprintf(nalg, sizeof(nalg), "ecb(%s)" , alg) >= |
5889 | sizeof(nalg)) |
5890 | return -ENAMETOOLONG; |
5891 | |
5892 | i = alg_find_test(nalg); |
5893 | if (i < 0) |
5894 | goto notest; |
5895 | |
5896 | if (fips_enabled && !alg_test_descs[i].fips_allowed) |
5897 | goto non_fips_alg; |
5898 | |
5899 | rc = alg_test_cipher(alg_test_descs + i, driver, type, mask); |
5900 | goto test_done; |
5901 | } |
5902 | |
5903 | i = alg_find_test(alg); |
5904 | j = alg_find_test(driver); |
5905 | if (i < 0 && j < 0) |
5906 | goto notest; |
5907 | |
5908 | if (fips_enabled) { |
5909 | if (j >= 0 && !alg_test_descs[j].fips_allowed) |
5910 | return -EINVAL; |
5911 | |
5912 | if (i >= 0 && !alg_test_descs[i].fips_allowed) |
5913 | goto non_fips_alg; |
5914 | } |
5915 | |
5916 | rc = 0; |
5917 | if (i >= 0) |
5918 | rc |= alg_test_descs[i].test(alg_test_descs + i, driver, |
5919 | type, mask); |
5920 | if (j >= 0 && j != i) |
5921 | rc |= alg_test_descs[j].test(alg_test_descs + j, driver, |
5922 | type, mask); |
5923 | |
5924 | test_done: |
5925 | if (rc) { |
5926 | if (fips_enabled || panic_on_fail) { |
5927 | fips_fail_notify(); |
5928 | panic("alg: self-tests for %s (%s) failed in %s mode!\n" , |
5929 | driver, alg, |
5930 | fips_enabled ? "fips" : "panic_on_fail" ); |
5931 | } |
5932 | pr_warn("alg: self-tests for %s using %s failed (rc=%d)" , |
5933 | alg, driver, rc); |
5934 | WARN(rc != -ENOENT, |
5935 | "alg: self-tests for %s using %s failed (rc=%d)" , |
5936 | alg, driver, rc); |
5937 | } else { |
5938 | if (fips_enabled) |
5939 | pr_info("alg: self-tests for %s (%s) passed\n" , |
5940 | driver, alg); |
5941 | } |
5942 | |
5943 | return rc; |
5944 | |
5945 | notest: |
5946 | if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_LSKCIPHER) { |
5947 | char nalg[CRYPTO_MAX_ALG_NAME]; |
5948 | |
5949 | if (snprintf(nalg, sizeof(nalg), "ecb(%s)" , alg) >= |
5950 | sizeof(nalg)) |
5951 | goto notest2; |
5952 | |
5953 | i = alg_find_test(nalg); |
5954 | if (i < 0) |
5955 | goto notest2; |
5956 | |
5957 | if (fips_enabled && !alg_test_descs[i].fips_allowed) |
5958 | goto non_fips_alg; |
5959 | |
5960 | rc = alg_test_skcipher(alg_test_descs + i, driver, type, mask); |
5961 | goto test_done; |
5962 | } |
5963 | |
5964 | notest2: |
5965 | printk(KERN_INFO "alg: No test for %s (%s)\n" , alg, driver); |
5966 | |
5967 | if (type & CRYPTO_ALG_FIPS_INTERNAL) |
5968 | return alg_fips_disabled(driver, alg); |
5969 | |
5970 | return 0; |
5971 | non_fips_alg: |
5972 | return alg_fips_disabled(driver, alg); |
5973 | } |
5974 | |
5975 | #endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */ |
5976 | |
5977 | EXPORT_SYMBOL_GPL(alg_test); |
5978 | |