xref: /openbmc/linux/crypto/testmgr.c (revision a347279d)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Algorithm testing framework and tests.
4  *
5  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
6  * Copyright (c) 2002 Jean-Francois Dive <jef@linuxbe.org>
7  * Copyright (c) 2007 Nokia Siemens Networks
8  * Copyright (c) 2008 Herbert Xu <herbert@gondor.apana.org.au>
9  * Copyright (c) 2019 Google LLC
10  *
11  * Updated RFC4106 AES-GCM testing.
12  *    Authors: Aidan O'Mahony (aidan.o.mahony@intel.com)
13  *             Adrian Hoban <adrian.hoban@intel.com>
14  *             Gabriele Paoloni <gabriele.paoloni@intel.com>
15  *             Tadeusz Struk (tadeusz.struk@intel.com)
16  *    Copyright (c) 2010, Intel Corporation.
17  */
18 
19 #include <crypto/aead.h>
20 #include <crypto/hash.h>
21 #include <crypto/skcipher.h>
22 #include <linux/err.h>
23 #include <linux/fips.h>
24 #include <linux/module.h>
25 #include <linux/once.h>
26 #include <linux/random.h>
27 #include <linux/scatterlist.h>
28 #include <linux/slab.h>
29 #include <linux/string.h>
30 #include <linux/uio.h>
31 #include <crypto/rng.h>
32 #include <crypto/drbg.h>
33 #include <crypto/akcipher.h>
34 #include <crypto/kpp.h>
35 #include <crypto/acompress.h>
36 #include <crypto/internal/cipher.h>
37 #include <crypto/internal/simd.h>
38 
39 #include "internal.h"
40 
41 MODULE_IMPORT_NS(CRYPTO_INTERNAL);
42 
43 static bool notests;
44 module_param(notests, bool, 0644);
45 MODULE_PARM_DESC(notests, "disable crypto self-tests");
46 
47 static bool panic_on_fail;
48 module_param(panic_on_fail, bool, 0444);
49 
50 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
51 static bool noextratests;
52 module_param(noextratests, bool, 0644);
53 MODULE_PARM_DESC(noextratests, "disable expensive crypto self-tests");
54 
55 static unsigned int fuzz_iterations = 100;
56 module_param(fuzz_iterations, uint, 0644);
57 MODULE_PARM_DESC(fuzz_iterations, "number of fuzz test iterations");
58 #endif
59 
60 #ifdef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS
61 
62 /* a perfect nop */
63 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
64 {
65 	return 0;
66 }
67 
68 #else
69 
70 #include "testmgr.h"
71 
72 /*
73  * Need slab memory for testing (size in number of pages).
74  */
75 #define XBUFSIZE	8
76 
77 /*
78 * Used by test_cipher()
79 */
80 #define ENCRYPT 1
81 #define DECRYPT 0
82 
83 struct aead_test_suite {
84 	const struct aead_testvec *vecs;
85 	unsigned int count;
86 
87 	/*
88 	 * Set if trying to decrypt an inauthentic ciphertext with this
89 	 * algorithm might result in EINVAL rather than EBADMSG, due to other
90 	 * validation the algorithm does on the inputs such as length checks.
91 	 */
92 	unsigned int einval_allowed : 1;
93 
94 	/*
95 	 * Set if this algorithm requires that the IV be located at the end of
96 	 * the AAD buffer, in addition to being given in the normal way.  The
97 	 * behavior when the two IV copies differ is implementation-defined.
98 	 */
99 	unsigned int aad_iv : 1;
100 };
101 
102 struct cipher_test_suite {
103 	const struct cipher_testvec *vecs;
104 	unsigned int count;
105 };
106 
107 struct comp_test_suite {
108 	struct {
109 		const struct comp_testvec *vecs;
110 		unsigned int count;
111 	} comp, decomp;
112 };
113 
114 struct hash_test_suite {
115 	const struct hash_testvec *vecs;
116 	unsigned int count;
117 };
118 
119 struct cprng_test_suite {
120 	const struct cprng_testvec *vecs;
121 	unsigned int count;
122 };
123 
124 struct drbg_test_suite {
125 	const struct drbg_testvec *vecs;
126 	unsigned int count;
127 };
128 
129 struct akcipher_test_suite {
130 	const struct akcipher_testvec *vecs;
131 	unsigned int count;
132 };
133 
134 struct kpp_test_suite {
135 	const struct kpp_testvec *vecs;
136 	unsigned int count;
137 };
138 
139 struct alg_test_desc {
140 	const char *alg;
141 	const char *generic_driver;
142 	int (*test)(const struct alg_test_desc *desc, const char *driver,
143 		    u32 type, u32 mask);
144 	int fips_allowed;	/* set if alg is allowed in fips mode */
145 
146 	union {
147 		struct aead_test_suite aead;
148 		struct cipher_test_suite cipher;
149 		struct comp_test_suite comp;
150 		struct hash_test_suite hash;
151 		struct cprng_test_suite cprng;
152 		struct drbg_test_suite drbg;
153 		struct akcipher_test_suite akcipher;
154 		struct kpp_test_suite kpp;
155 	} suite;
156 };
157 
158 static void hexdump(unsigned char *buf, unsigned int len)
159 {
160 	print_hex_dump(KERN_CONT, "", DUMP_PREFIX_OFFSET,
161 			16, 1,
162 			buf, len, false);
163 }
164 
165 static int __testmgr_alloc_buf(char *buf[XBUFSIZE], int order)
166 {
167 	int i;
168 
169 	for (i = 0; i < XBUFSIZE; i++) {
170 		buf[i] = (char *)__get_free_pages(GFP_KERNEL, order);
171 		if (!buf[i])
172 			goto err_free_buf;
173 	}
174 
175 	return 0;
176 
177 err_free_buf:
178 	while (i-- > 0)
179 		free_pages((unsigned long)buf[i], order);
180 
181 	return -ENOMEM;
182 }
183 
184 static int testmgr_alloc_buf(char *buf[XBUFSIZE])
185 {
186 	return __testmgr_alloc_buf(buf, 0);
187 }
188 
189 static void __testmgr_free_buf(char *buf[XBUFSIZE], int order)
190 {
191 	int i;
192 
193 	for (i = 0; i < XBUFSIZE; i++)
194 		free_pages((unsigned long)buf[i], order);
195 }
196 
197 static void testmgr_free_buf(char *buf[XBUFSIZE])
198 {
199 	__testmgr_free_buf(buf, 0);
200 }
201 
202 #define TESTMGR_POISON_BYTE	0xfe
203 #define TESTMGR_POISON_LEN	16
204 
205 static inline void testmgr_poison(void *addr, size_t len)
206 {
207 	memset(addr, TESTMGR_POISON_BYTE, len);
208 }
209 
210 /* Is the memory region still fully poisoned? */
211 static inline bool testmgr_is_poison(const void *addr, size_t len)
212 {
213 	return memchr_inv(addr, TESTMGR_POISON_BYTE, len) == NULL;
214 }
215 
216 /* flush type for hash algorithms */
217 enum flush_type {
218 	/* merge with update of previous buffer(s) */
219 	FLUSH_TYPE_NONE = 0,
220 
221 	/* update with previous buffer(s) before doing this one */
222 	FLUSH_TYPE_FLUSH,
223 
224 	/* likewise, but also export and re-import the intermediate state */
225 	FLUSH_TYPE_REIMPORT,
226 };
227 
228 /* finalization function for hash algorithms */
229 enum finalization_type {
230 	FINALIZATION_TYPE_FINAL,	/* use final() */
231 	FINALIZATION_TYPE_FINUP,	/* use finup() */
232 	FINALIZATION_TYPE_DIGEST,	/* use digest() */
233 };
234 
235 /*
236  * Whether the crypto operation will occur in-place, and if so whether the
237  * source and destination scatterlist pointers will coincide (req->src ==
238  * req->dst), or whether they'll merely point to two separate scatterlists
239  * (req->src != req->dst) that reference the same underlying memory.
240  *
241  * This is only relevant for algorithm types that support in-place operation.
242  */
243 enum inplace_mode {
244 	OUT_OF_PLACE,
245 	INPLACE_ONE_SGLIST,
246 	INPLACE_TWO_SGLISTS,
247 };
248 
249 #define TEST_SG_TOTAL	10000
250 
251 /**
252  * struct test_sg_division - description of a scatterlist entry
253  *
254  * This struct describes one entry of a scatterlist being constructed to check a
255  * crypto test vector.
256  *
257  * @proportion_of_total: length of this chunk relative to the total length,
258  *			 given as a proportion out of TEST_SG_TOTAL so that it
259  *			 scales to fit any test vector
260  * @offset: byte offset into a 2-page buffer at which this chunk will start
261  * @offset_relative_to_alignmask: if true, add the algorithm's alignmask to the
262  *				  @offset
263  * @flush_type: for hashes, whether an update() should be done now vs.
264  *		continuing to accumulate data
265  * @nosimd: if doing the pending update(), do it with SIMD disabled?
266  */
267 struct test_sg_division {
268 	unsigned int proportion_of_total;
269 	unsigned int offset;
270 	bool offset_relative_to_alignmask;
271 	enum flush_type flush_type;
272 	bool nosimd;
273 };
274 
275 /**
276  * struct testvec_config - configuration for testing a crypto test vector
277  *
278  * This struct describes the data layout and other parameters with which each
279  * crypto test vector can be tested.
280  *
281  * @name: name of this config, logged for debugging purposes if a test fails
282  * @inplace_mode: whether and how to operate on the data in-place, if applicable
283  * @req_flags: extra request_flags, e.g. CRYPTO_TFM_REQ_MAY_SLEEP
284  * @src_divs: description of how to arrange the source scatterlist
285  * @dst_divs: description of how to arrange the dst scatterlist, if applicable
286  *	      for the algorithm type.  Defaults to @src_divs if unset.
287  * @iv_offset: misalignment of the IV in the range [0..MAX_ALGAPI_ALIGNMASK+1],
288  *	       where 0 is aligned to a 2*(MAX_ALGAPI_ALIGNMASK+1) byte boundary
289  * @iv_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
290  *				     the @iv_offset
291  * @key_offset: misalignment of the key, where 0 is default alignment
292  * @key_offset_relative_to_alignmask: if true, add the algorithm's alignmask to
293  *				      the @key_offset
294  * @finalization_type: what finalization function to use for hashes
295  * @nosimd: execute with SIMD disabled?  Requires !CRYPTO_TFM_REQ_MAY_SLEEP.
296  */
297 struct testvec_config {
298 	const char *name;
299 	enum inplace_mode inplace_mode;
300 	u32 req_flags;
301 	struct test_sg_division src_divs[XBUFSIZE];
302 	struct test_sg_division dst_divs[XBUFSIZE];
303 	unsigned int iv_offset;
304 	unsigned int key_offset;
305 	bool iv_offset_relative_to_alignmask;
306 	bool key_offset_relative_to_alignmask;
307 	enum finalization_type finalization_type;
308 	bool nosimd;
309 };
310 
311 #define TESTVEC_CONFIG_NAMELEN	192
312 
313 /*
314  * The following are the lists of testvec_configs to test for each algorithm
315  * type when the basic crypto self-tests are enabled, i.e. when
316  * CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is unset.  They aim to provide good test
317  * coverage, while keeping the test time much shorter than the full fuzz tests
318  * so that the basic tests can be enabled in a wider range of circumstances.
319  */
320 
321 /* Configs for skciphers and aeads */
322 static const struct testvec_config default_cipher_testvec_configs[] = {
323 	{
324 		.name = "in-place (one sglist)",
325 		.inplace_mode = INPLACE_ONE_SGLIST,
326 		.src_divs = { { .proportion_of_total = 10000 } },
327 	}, {
328 		.name = "in-place (two sglists)",
329 		.inplace_mode = INPLACE_TWO_SGLISTS,
330 		.src_divs = { { .proportion_of_total = 10000 } },
331 	}, {
332 		.name = "out-of-place",
333 		.inplace_mode = OUT_OF_PLACE,
334 		.src_divs = { { .proportion_of_total = 10000 } },
335 	}, {
336 		.name = "unaligned buffer, offset=1",
337 		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
338 		.iv_offset = 1,
339 		.key_offset = 1,
340 	}, {
341 		.name = "buffer aligned only to alignmask",
342 		.src_divs = {
343 			{
344 				.proportion_of_total = 10000,
345 				.offset = 1,
346 				.offset_relative_to_alignmask = true,
347 			},
348 		},
349 		.iv_offset = 1,
350 		.iv_offset_relative_to_alignmask = true,
351 		.key_offset = 1,
352 		.key_offset_relative_to_alignmask = true,
353 	}, {
354 		.name = "two even aligned splits",
355 		.src_divs = {
356 			{ .proportion_of_total = 5000 },
357 			{ .proportion_of_total = 5000 },
358 		},
359 	}, {
360 		.name = "one src, two even splits dst",
361 		.inplace_mode = OUT_OF_PLACE,
362 		.src_divs = { { .proportion_of_total = 10000 } },
363 		.dst_divs = {
364 			{ .proportion_of_total = 5000 },
365 			{ .proportion_of_total = 5000 },
366 		 },
367 	}, {
368 		.name = "uneven misaligned splits, may sleep",
369 		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
370 		.src_divs = {
371 			{ .proportion_of_total = 1900, .offset = 33 },
372 			{ .proportion_of_total = 3300, .offset = 7  },
373 			{ .proportion_of_total = 4800, .offset = 18 },
374 		},
375 		.iv_offset = 3,
376 		.key_offset = 3,
377 	}, {
378 		.name = "misaligned splits crossing pages, inplace",
379 		.inplace_mode = INPLACE_ONE_SGLIST,
380 		.src_divs = {
381 			{
382 				.proportion_of_total = 7500,
383 				.offset = PAGE_SIZE - 32
384 			}, {
385 				.proportion_of_total = 2500,
386 				.offset = PAGE_SIZE - 7
387 			},
388 		},
389 	}
390 };
391 
392 static const struct testvec_config default_hash_testvec_configs[] = {
393 	{
394 		.name = "init+update+final aligned buffer",
395 		.src_divs = { { .proportion_of_total = 10000 } },
396 		.finalization_type = FINALIZATION_TYPE_FINAL,
397 	}, {
398 		.name = "init+finup aligned buffer",
399 		.src_divs = { { .proportion_of_total = 10000 } },
400 		.finalization_type = FINALIZATION_TYPE_FINUP,
401 	}, {
402 		.name = "digest aligned buffer",
403 		.src_divs = { { .proportion_of_total = 10000 } },
404 		.finalization_type = FINALIZATION_TYPE_DIGEST,
405 	}, {
406 		.name = "init+update+final misaligned buffer",
407 		.src_divs = { { .proportion_of_total = 10000, .offset = 1 } },
408 		.finalization_type = FINALIZATION_TYPE_FINAL,
409 		.key_offset = 1,
410 	}, {
411 		.name = "digest buffer aligned only to alignmask",
412 		.src_divs = {
413 			{
414 				.proportion_of_total = 10000,
415 				.offset = 1,
416 				.offset_relative_to_alignmask = true,
417 			},
418 		},
419 		.finalization_type = FINALIZATION_TYPE_DIGEST,
420 		.key_offset = 1,
421 		.key_offset_relative_to_alignmask = true,
422 	}, {
423 		.name = "init+update+update+final two even splits",
424 		.src_divs = {
425 			{ .proportion_of_total = 5000 },
426 			{
427 				.proportion_of_total = 5000,
428 				.flush_type = FLUSH_TYPE_FLUSH,
429 			},
430 		},
431 		.finalization_type = FINALIZATION_TYPE_FINAL,
432 	}, {
433 		.name = "digest uneven misaligned splits, may sleep",
434 		.req_flags = CRYPTO_TFM_REQ_MAY_SLEEP,
435 		.src_divs = {
436 			{ .proportion_of_total = 1900, .offset = 33 },
437 			{ .proportion_of_total = 3300, .offset = 7  },
438 			{ .proportion_of_total = 4800, .offset = 18 },
439 		},
440 		.finalization_type = FINALIZATION_TYPE_DIGEST,
441 	}, {
442 		.name = "digest misaligned splits crossing pages",
443 		.src_divs = {
444 			{
445 				.proportion_of_total = 7500,
446 				.offset = PAGE_SIZE - 32,
447 			}, {
448 				.proportion_of_total = 2500,
449 				.offset = PAGE_SIZE - 7,
450 			},
451 		},
452 		.finalization_type = FINALIZATION_TYPE_DIGEST,
453 	}, {
454 		.name = "import/export",
455 		.src_divs = {
456 			{
457 				.proportion_of_total = 6500,
458 				.flush_type = FLUSH_TYPE_REIMPORT,
459 			}, {
460 				.proportion_of_total = 3500,
461 				.flush_type = FLUSH_TYPE_REIMPORT,
462 			},
463 		},
464 		.finalization_type = FINALIZATION_TYPE_FINAL,
465 	}
466 };
467 
468 static unsigned int count_test_sg_divisions(const struct test_sg_division *divs)
469 {
470 	unsigned int remaining = TEST_SG_TOTAL;
471 	unsigned int ndivs = 0;
472 
473 	do {
474 		remaining -= divs[ndivs++].proportion_of_total;
475 	} while (remaining);
476 
477 	return ndivs;
478 }
479 
480 #define SGDIVS_HAVE_FLUSHES	BIT(0)
481 #define SGDIVS_HAVE_NOSIMD	BIT(1)
482 
483 static bool valid_sg_divisions(const struct test_sg_division *divs,
484 			       unsigned int count, int *flags_ret)
485 {
486 	unsigned int total = 0;
487 	unsigned int i;
488 
489 	for (i = 0; i < count && total != TEST_SG_TOTAL; i++) {
490 		if (divs[i].proportion_of_total <= 0 ||
491 		    divs[i].proportion_of_total > TEST_SG_TOTAL - total)
492 			return false;
493 		total += divs[i].proportion_of_total;
494 		if (divs[i].flush_type != FLUSH_TYPE_NONE)
495 			*flags_ret |= SGDIVS_HAVE_FLUSHES;
496 		if (divs[i].nosimd)
497 			*flags_ret |= SGDIVS_HAVE_NOSIMD;
498 	}
499 	return total == TEST_SG_TOTAL &&
500 		memchr_inv(&divs[i], 0, (count - i) * sizeof(divs[0])) == NULL;
501 }
502 
503 /*
504  * Check whether the given testvec_config is valid.  This isn't strictly needed
505  * since every testvec_config should be valid, but check anyway so that people
506  * don't unknowingly add broken configs that don't do what they wanted.
507  */
508 static bool valid_testvec_config(const struct testvec_config *cfg)
509 {
510 	int flags = 0;
511 
512 	if (cfg->name == NULL)
513 		return false;
514 
515 	if (!valid_sg_divisions(cfg->src_divs, ARRAY_SIZE(cfg->src_divs),
516 				&flags))
517 		return false;
518 
519 	if (cfg->dst_divs[0].proportion_of_total) {
520 		if (!valid_sg_divisions(cfg->dst_divs,
521 					ARRAY_SIZE(cfg->dst_divs), &flags))
522 			return false;
523 	} else {
524 		if (memchr_inv(cfg->dst_divs, 0, sizeof(cfg->dst_divs)))
525 			return false;
526 		/* defaults to dst_divs=src_divs */
527 	}
528 
529 	if (cfg->iv_offset +
530 	    (cfg->iv_offset_relative_to_alignmask ? MAX_ALGAPI_ALIGNMASK : 0) >
531 	    MAX_ALGAPI_ALIGNMASK + 1)
532 		return false;
533 
534 	if ((flags & (SGDIVS_HAVE_FLUSHES | SGDIVS_HAVE_NOSIMD)) &&
535 	    cfg->finalization_type == FINALIZATION_TYPE_DIGEST)
536 		return false;
537 
538 	if ((cfg->nosimd || (flags & SGDIVS_HAVE_NOSIMD)) &&
539 	    (cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP))
540 		return false;
541 
542 	return true;
543 }
544 
545 struct test_sglist {
546 	char *bufs[XBUFSIZE];
547 	struct scatterlist sgl[XBUFSIZE];
548 	struct scatterlist sgl_saved[XBUFSIZE];
549 	struct scatterlist *sgl_ptr;
550 	unsigned int nents;
551 };
552 
553 static int init_test_sglist(struct test_sglist *tsgl)
554 {
555 	return __testmgr_alloc_buf(tsgl->bufs, 1 /* two pages per buffer */);
556 }
557 
558 static void destroy_test_sglist(struct test_sglist *tsgl)
559 {
560 	return __testmgr_free_buf(tsgl->bufs, 1 /* two pages per buffer */);
561 }
562 
563 /**
564  * build_test_sglist() - build a scatterlist for a crypto test
565  *
566  * @tsgl: the scatterlist to build.  @tsgl->bufs[] contains an array of 2-page
567  *	  buffers which the scatterlist @tsgl->sgl[] will be made to point into.
568  * @divs: the layout specification on which the scatterlist will be based
569  * @alignmask: the algorithm's alignmask
570  * @total_len: the total length of the scatterlist to build in bytes
571  * @data: if non-NULL, the buffers will be filled with this data until it ends.
572  *	  Otherwise the buffers will be poisoned.  In both cases, some bytes
573  *	  past the end of each buffer will be poisoned to help detect overruns.
574  * @out_divs: if non-NULL, the test_sg_division to which each scatterlist entry
575  *	      corresponds will be returned here.  This will match @divs except
576  *	      that divisions resolving to a length of 0 are omitted as they are
577  *	      not included in the scatterlist.
578  *
579  * Return: 0 or a -errno value
580  */
581 static int build_test_sglist(struct test_sglist *tsgl,
582 			     const struct test_sg_division *divs,
583 			     const unsigned int alignmask,
584 			     const unsigned int total_len,
585 			     struct iov_iter *data,
586 			     const struct test_sg_division *out_divs[XBUFSIZE])
587 {
588 	struct {
589 		const struct test_sg_division *div;
590 		size_t length;
591 	} partitions[XBUFSIZE];
592 	const unsigned int ndivs = count_test_sg_divisions(divs);
593 	unsigned int len_remaining = total_len;
594 	unsigned int i;
595 
596 	BUILD_BUG_ON(ARRAY_SIZE(partitions) != ARRAY_SIZE(tsgl->sgl));
597 	if (WARN_ON(ndivs > ARRAY_SIZE(partitions)))
598 		return -EINVAL;
599 
600 	/* Calculate the (div, length) pairs */
601 	tsgl->nents = 0;
602 	for (i = 0; i < ndivs; i++) {
603 		unsigned int len_this_sg =
604 			min(len_remaining,
605 			    (total_len * divs[i].proportion_of_total +
606 			     TEST_SG_TOTAL / 2) / TEST_SG_TOTAL);
607 
608 		if (len_this_sg != 0) {
609 			partitions[tsgl->nents].div = &divs[i];
610 			partitions[tsgl->nents].length = len_this_sg;
611 			tsgl->nents++;
612 			len_remaining -= len_this_sg;
613 		}
614 	}
615 	if (tsgl->nents == 0) {
616 		partitions[tsgl->nents].div = &divs[0];
617 		partitions[tsgl->nents].length = 0;
618 		tsgl->nents++;
619 	}
620 	partitions[tsgl->nents - 1].length += len_remaining;
621 
622 	/* Set up the sgl entries and fill the data or poison */
623 	sg_init_table(tsgl->sgl, tsgl->nents);
624 	for (i = 0; i < tsgl->nents; i++) {
625 		unsigned int offset = partitions[i].div->offset;
626 		void *addr;
627 
628 		if (partitions[i].div->offset_relative_to_alignmask)
629 			offset += alignmask;
630 
631 		while (offset + partitions[i].length + TESTMGR_POISON_LEN >
632 		       2 * PAGE_SIZE) {
633 			if (WARN_ON(offset <= 0))
634 				return -EINVAL;
635 			offset /= 2;
636 		}
637 
638 		addr = &tsgl->bufs[i][offset];
639 		sg_set_buf(&tsgl->sgl[i], addr, partitions[i].length);
640 
641 		if (out_divs)
642 			out_divs[i] = partitions[i].div;
643 
644 		if (data) {
645 			size_t copy_len, copied;
646 
647 			copy_len = min(partitions[i].length, data->count);
648 			copied = copy_from_iter(addr, copy_len, data);
649 			if (WARN_ON(copied != copy_len))
650 				return -EINVAL;
651 			testmgr_poison(addr + copy_len, partitions[i].length +
652 				       TESTMGR_POISON_LEN - copy_len);
653 		} else {
654 			testmgr_poison(addr, partitions[i].length +
655 				       TESTMGR_POISON_LEN);
656 		}
657 	}
658 
659 	sg_mark_end(&tsgl->sgl[tsgl->nents - 1]);
660 	tsgl->sgl_ptr = tsgl->sgl;
661 	memcpy(tsgl->sgl_saved, tsgl->sgl, tsgl->nents * sizeof(tsgl->sgl[0]));
662 	return 0;
663 }
664 
665 /*
666  * Verify that a scatterlist crypto operation produced the correct output.
667  *
668  * @tsgl: scatterlist containing the actual output
669  * @expected_output: buffer containing the expected output
670  * @len_to_check: length of @expected_output in bytes
671  * @unchecked_prefix_len: number of ignored bytes in @tsgl prior to real result
672  * @check_poison: verify that the poison bytes after each chunk are intact?
673  *
674  * Return: 0 if correct, -EINVAL if incorrect, -EOVERFLOW if buffer overrun.
675  */
676 static int verify_correct_output(const struct test_sglist *tsgl,
677 				 const char *expected_output,
678 				 unsigned int len_to_check,
679 				 unsigned int unchecked_prefix_len,
680 				 bool check_poison)
681 {
682 	unsigned int i;
683 
684 	for (i = 0; i < tsgl->nents; i++) {
685 		struct scatterlist *sg = &tsgl->sgl_ptr[i];
686 		unsigned int len = sg->length;
687 		unsigned int offset = sg->offset;
688 		const char *actual_output;
689 
690 		if (unchecked_prefix_len) {
691 			if (unchecked_prefix_len >= len) {
692 				unchecked_prefix_len -= len;
693 				continue;
694 			}
695 			offset += unchecked_prefix_len;
696 			len -= unchecked_prefix_len;
697 			unchecked_prefix_len = 0;
698 		}
699 		len = min(len, len_to_check);
700 		actual_output = page_address(sg_page(sg)) + offset;
701 		if (memcmp(expected_output, actual_output, len) != 0)
702 			return -EINVAL;
703 		if (check_poison &&
704 		    !testmgr_is_poison(actual_output + len, TESTMGR_POISON_LEN))
705 			return -EOVERFLOW;
706 		len_to_check -= len;
707 		expected_output += len;
708 	}
709 	if (WARN_ON(len_to_check != 0))
710 		return -EINVAL;
711 	return 0;
712 }
713 
714 static bool is_test_sglist_corrupted(const struct test_sglist *tsgl)
715 {
716 	unsigned int i;
717 
718 	for (i = 0; i < tsgl->nents; i++) {
719 		if (tsgl->sgl[i].page_link != tsgl->sgl_saved[i].page_link)
720 			return true;
721 		if (tsgl->sgl[i].offset != tsgl->sgl_saved[i].offset)
722 			return true;
723 		if (tsgl->sgl[i].length != tsgl->sgl_saved[i].length)
724 			return true;
725 	}
726 	return false;
727 }
728 
729 struct cipher_test_sglists {
730 	struct test_sglist src;
731 	struct test_sglist dst;
732 };
733 
734 static struct cipher_test_sglists *alloc_cipher_test_sglists(void)
735 {
736 	struct cipher_test_sglists *tsgls;
737 
738 	tsgls = kmalloc(sizeof(*tsgls), GFP_KERNEL);
739 	if (!tsgls)
740 		return NULL;
741 
742 	if (init_test_sglist(&tsgls->src) != 0)
743 		goto fail_kfree;
744 	if (init_test_sglist(&tsgls->dst) != 0)
745 		goto fail_destroy_src;
746 
747 	return tsgls;
748 
749 fail_destroy_src:
750 	destroy_test_sglist(&tsgls->src);
751 fail_kfree:
752 	kfree(tsgls);
753 	return NULL;
754 }
755 
756 static void free_cipher_test_sglists(struct cipher_test_sglists *tsgls)
757 {
758 	if (tsgls) {
759 		destroy_test_sglist(&tsgls->src);
760 		destroy_test_sglist(&tsgls->dst);
761 		kfree(tsgls);
762 	}
763 }
764 
765 /* Build the src and dst scatterlists for an skcipher or AEAD test */
766 static int build_cipher_test_sglists(struct cipher_test_sglists *tsgls,
767 				     const struct testvec_config *cfg,
768 				     unsigned int alignmask,
769 				     unsigned int src_total_len,
770 				     unsigned int dst_total_len,
771 				     const struct kvec *inputs,
772 				     unsigned int nr_inputs)
773 {
774 	struct iov_iter input;
775 	int err;
776 
777 	iov_iter_kvec(&input, ITER_SOURCE, inputs, nr_inputs, src_total_len);
778 	err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
779 				cfg->inplace_mode != OUT_OF_PLACE ?
780 					max(dst_total_len, src_total_len) :
781 					src_total_len,
782 				&input, NULL);
783 	if (err)
784 		return err;
785 
786 	/*
787 	 * In-place crypto operations can use the same scatterlist for both the
788 	 * source and destination (req->src == req->dst), or can use separate
789 	 * scatterlists (req->src != req->dst) which point to the same
790 	 * underlying memory.  Make sure to test both cases.
791 	 */
792 	if (cfg->inplace_mode == INPLACE_ONE_SGLIST) {
793 		tsgls->dst.sgl_ptr = tsgls->src.sgl;
794 		tsgls->dst.nents = tsgls->src.nents;
795 		return 0;
796 	}
797 	if (cfg->inplace_mode == INPLACE_TWO_SGLISTS) {
798 		/*
799 		 * For now we keep it simple and only test the case where the
800 		 * two scatterlists have identical entries, rather than
801 		 * different entries that split up the same memory differently.
802 		 */
803 		memcpy(tsgls->dst.sgl, tsgls->src.sgl,
804 		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
805 		memcpy(tsgls->dst.sgl_saved, tsgls->src.sgl,
806 		       tsgls->src.nents * sizeof(tsgls->src.sgl[0]));
807 		tsgls->dst.sgl_ptr = tsgls->dst.sgl;
808 		tsgls->dst.nents = tsgls->src.nents;
809 		return 0;
810 	}
811 	/* Out of place */
812 	return build_test_sglist(&tsgls->dst,
813 				 cfg->dst_divs[0].proportion_of_total ?
814 					cfg->dst_divs : cfg->src_divs,
815 				 alignmask, dst_total_len, NULL, NULL);
816 }
817 
818 /*
819  * Support for testing passing a misaligned key to setkey():
820  *
821  * If cfg->key_offset is set, copy the key into a new buffer at that offset,
822  * optionally adding alignmask.  Else, just use the key directly.
823  */
824 static int prepare_keybuf(const u8 *key, unsigned int ksize,
825 			  const struct testvec_config *cfg,
826 			  unsigned int alignmask,
827 			  const u8 **keybuf_ret, const u8 **keyptr_ret)
828 {
829 	unsigned int key_offset = cfg->key_offset;
830 	u8 *keybuf = NULL, *keyptr = (u8 *)key;
831 
832 	if (key_offset != 0) {
833 		if (cfg->key_offset_relative_to_alignmask)
834 			key_offset += alignmask;
835 		keybuf = kmalloc(key_offset + ksize, GFP_KERNEL);
836 		if (!keybuf)
837 			return -ENOMEM;
838 		keyptr = keybuf + key_offset;
839 		memcpy(keyptr, key, ksize);
840 	}
841 	*keybuf_ret = keybuf;
842 	*keyptr_ret = keyptr;
843 	return 0;
844 }
845 
846 /* Like setkey_f(tfm, key, ksize), but sometimes misalign the key */
847 #define do_setkey(setkey_f, tfm, key, ksize, cfg, alignmask)		\
848 ({									\
849 	const u8 *keybuf, *keyptr;					\
850 	int err;							\
851 									\
852 	err = prepare_keybuf((key), (ksize), (cfg), (alignmask),	\
853 			     &keybuf, &keyptr);				\
854 	if (err == 0) {							\
855 		err = setkey_f((tfm), keyptr, (ksize));			\
856 		kfree(keybuf);						\
857 	}								\
858 	err;								\
859 })
860 
861 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
862 
863 /* Generate a random length in range [0, max_len], but prefer smaller values */
864 static unsigned int generate_random_length(unsigned int max_len)
865 {
866 	unsigned int len = get_random_u32_below(max_len + 1);
867 
868 	switch (get_random_u32_below(4)) {
869 	case 0:
870 		return len % 64;
871 	case 1:
872 		return len % 256;
873 	case 2:
874 		return len % 1024;
875 	default:
876 		return len;
877 	}
878 }
879 
880 /* Flip a random bit in the given nonempty data buffer */
881 static void flip_random_bit(u8 *buf, size_t size)
882 {
883 	size_t bitpos;
884 
885 	bitpos = get_random_u32_below(size * 8);
886 	buf[bitpos / 8] ^= 1 << (bitpos % 8);
887 }
888 
889 /* Flip a random byte in the given nonempty data buffer */
890 static void flip_random_byte(u8 *buf, size_t size)
891 {
892 	buf[get_random_u32_below(size)] ^= 0xff;
893 }
894 
895 /* Sometimes make some random changes to the given nonempty data buffer */
896 static void mutate_buffer(u8 *buf, size_t size)
897 {
898 	size_t num_flips;
899 	size_t i;
900 
901 	/* Sometimes flip some bits */
902 	if (get_random_u32_below(4) == 0) {
903 		num_flips = min_t(size_t, 1 << get_random_u32_below(8), size * 8);
904 		for (i = 0; i < num_flips; i++)
905 			flip_random_bit(buf, size);
906 	}
907 
908 	/* Sometimes flip some bytes */
909 	if (get_random_u32_below(4) == 0) {
910 		num_flips = min_t(size_t, 1 << get_random_u32_below(8), size);
911 		for (i = 0; i < num_flips; i++)
912 			flip_random_byte(buf, size);
913 	}
914 }
915 
916 /* Randomly generate 'count' bytes, but sometimes make them "interesting" */
917 static void generate_random_bytes(u8 *buf, size_t count)
918 {
919 	u8 b;
920 	u8 increment;
921 	size_t i;
922 
923 	if (count == 0)
924 		return;
925 
926 	switch (get_random_u32_below(8)) { /* Choose a generation strategy */
927 	case 0:
928 	case 1:
929 		/* All the same byte, plus optional mutations */
930 		switch (get_random_u32_below(4)) {
931 		case 0:
932 			b = 0x00;
933 			break;
934 		case 1:
935 			b = 0xff;
936 			break;
937 		default:
938 			b = get_random_u8();
939 			break;
940 		}
941 		memset(buf, b, count);
942 		mutate_buffer(buf, count);
943 		break;
944 	case 2:
945 		/* Ascending or descending bytes, plus optional mutations */
946 		increment = get_random_u8();
947 		b = get_random_u8();
948 		for (i = 0; i < count; i++, b += increment)
949 			buf[i] = b;
950 		mutate_buffer(buf, count);
951 		break;
952 	default:
953 		/* Fully random bytes */
954 		for (i = 0; i < count; i++)
955 			buf[i] = get_random_u8();
956 	}
957 }
958 
959 static char *generate_random_sgl_divisions(struct test_sg_division *divs,
960 					   size_t max_divs, char *p, char *end,
961 					   bool gen_flushes, u32 req_flags)
962 {
963 	struct test_sg_division *div = divs;
964 	unsigned int remaining = TEST_SG_TOTAL;
965 
966 	do {
967 		unsigned int this_len;
968 		const char *flushtype_str;
969 
970 		if (div == &divs[max_divs - 1] || get_random_u32_below(2) == 0)
971 			this_len = remaining;
972 		else
973 			this_len = get_random_u32_inclusive(1, remaining);
974 		div->proportion_of_total = this_len;
975 
976 		if (get_random_u32_below(4) == 0)
977 			div->offset = get_random_u32_inclusive(PAGE_SIZE - 128, PAGE_SIZE - 1);
978 		else if (get_random_u32_below(2) == 0)
979 			div->offset = get_random_u32_below(32);
980 		else
981 			div->offset = get_random_u32_below(PAGE_SIZE);
982 		if (get_random_u32_below(8) == 0)
983 			div->offset_relative_to_alignmask = true;
984 
985 		div->flush_type = FLUSH_TYPE_NONE;
986 		if (gen_flushes) {
987 			switch (get_random_u32_below(4)) {
988 			case 0:
989 				div->flush_type = FLUSH_TYPE_REIMPORT;
990 				break;
991 			case 1:
992 				div->flush_type = FLUSH_TYPE_FLUSH;
993 				break;
994 			}
995 		}
996 
997 		if (div->flush_type != FLUSH_TYPE_NONE &&
998 		    !(req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
999 		    get_random_u32_below(2) == 0)
1000 			div->nosimd = true;
1001 
1002 		switch (div->flush_type) {
1003 		case FLUSH_TYPE_FLUSH:
1004 			if (div->nosimd)
1005 				flushtype_str = "<flush,nosimd>";
1006 			else
1007 				flushtype_str = "<flush>";
1008 			break;
1009 		case FLUSH_TYPE_REIMPORT:
1010 			if (div->nosimd)
1011 				flushtype_str = "<reimport,nosimd>";
1012 			else
1013 				flushtype_str = "<reimport>";
1014 			break;
1015 		default:
1016 			flushtype_str = "";
1017 			break;
1018 		}
1019 
1020 		BUILD_BUG_ON(TEST_SG_TOTAL != 10000); /* for "%u.%u%%" */
1021 		p += scnprintf(p, end - p, "%s%u.%u%%@%s+%u%s", flushtype_str,
1022 			       this_len / 100, this_len % 100,
1023 			       div->offset_relative_to_alignmask ?
1024 					"alignmask" : "",
1025 			       div->offset, this_len == remaining ? "" : ", ");
1026 		remaining -= this_len;
1027 		div++;
1028 	} while (remaining);
1029 
1030 	return p;
1031 }
1032 
1033 /* Generate a random testvec_config for fuzz testing */
1034 static void generate_random_testvec_config(struct testvec_config *cfg,
1035 					   char *name, size_t max_namelen)
1036 {
1037 	char *p = name;
1038 	char * const end = name + max_namelen;
1039 
1040 	memset(cfg, 0, sizeof(*cfg));
1041 
1042 	cfg->name = name;
1043 
1044 	p += scnprintf(p, end - p, "random:");
1045 
1046 	switch (get_random_u32_below(4)) {
1047 	case 0:
1048 	case 1:
1049 		cfg->inplace_mode = OUT_OF_PLACE;
1050 		break;
1051 	case 2:
1052 		cfg->inplace_mode = INPLACE_ONE_SGLIST;
1053 		p += scnprintf(p, end - p, " inplace_one_sglist");
1054 		break;
1055 	default:
1056 		cfg->inplace_mode = INPLACE_TWO_SGLISTS;
1057 		p += scnprintf(p, end - p, " inplace_two_sglists");
1058 		break;
1059 	}
1060 
1061 	if (get_random_u32_below(2) == 0) {
1062 		cfg->req_flags |= CRYPTO_TFM_REQ_MAY_SLEEP;
1063 		p += scnprintf(p, end - p, " may_sleep");
1064 	}
1065 
1066 	switch (get_random_u32_below(4)) {
1067 	case 0:
1068 		cfg->finalization_type = FINALIZATION_TYPE_FINAL;
1069 		p += scnprintf(p, end - p, " use_final");
1070 		break;
1071 	case 1:
1072 		cfg->finalization_type = FINALIZATION_TYPE_FINUP;
1073 		p += scnprintf(p, end - p, " use_finup");
1074 		break;
1075 	default:
1076 		cfg->finalization_type = FINALIZATION_TYPE_DIGEST;
1077 		p += scnprintf(p, end - p, " use_digest");
1078 		break;
1079 	}
1080 
1081 	if (!(cfg->req_flags & CRYPTO_TFM_REQ_MAY_SLEEP) &&
1082 	    get_random_u32_below(2) == 0) {
1083 		cfg->nosimd = true;
1084 		p += scnprintf(p, end - p, " nosimd");
1085 	}
1086 
1087 	p += scnprintf(p, end - p, " src_divs=[");
1088 	p = generate_random_sgl_divisions(cfg->src_divs,
1089 					  ARRAY_SIZE(cfg->src_divs), p, end,
1090 					  (cfg->finalization_type !=
1091 					   FINALIZATION_TYPE_DIGEST),
1092 					  cfg->req_flags);
1093 	p += scnprintf(p, end - p, "]");
1094 
1095 	if (cfg->inplace_mode == OUT_OF_PLACE && get_random_u32_below(2) == 0) {
1096 		p += scnprintf(p, end - p, " dst_divs=[");
1097 		p = generate_random_sgl_divisions(cfg->dst_divs,
1098 						  ARRAY_SIZE(cfg->dst_divs),
1099 						  p, end, false,
1100 						  cfg->req_flags);
1101 		p += scnprintf(p, end - p, "]");
1102 	}
1103 
1104 	if (get_random_u32_below(2) == 0) {
1105 		cfg->iv_offset = get_random_u32_inclusive(1, MAX_ALGAPI_ALIGNMASK);
1106 		p += scnprintf(p, end - p, " iv_offset=%u", cfg->iv_offset);
1107 	}
1108 
1109 	if (get_random_u32_below(2) == 0) {
1110 		cfg->key_offset = get_random_u32_inclusive(1, MAX_ALGAPI_ALIGNMASK);
1111 		p += scnprintf(p, end - p, " key_offset=%u", cfg->key_offset);
1112 	}
1113 
1114 	WARN_ON_ONCE(!valid_testvec_config(cfg));
1115 }
1116 
1117 static void crypto_disable_simd_for_test(void)
1118 {
1119 	migrate_disable();
1120 	__this_cpu_write(crypto_simd_disabled_for_test, true);
1121 }
1122 
1123 static void crypto_reenable_simd_for_test(void)
1124 {
1125 	__this_cpu_write(crypto_simd_disabled_for_test, false);
1126 	migrate_enable();
1127 }
1128 
1129 /*
1130  * Given an algorithm name, build the name of the generic implementation of that
1131  * algorithm, assuming the usual naming convention.  Specifically, this appends
1132  * "-generic" to every part of the name that is not a template name.  Examples:
1133  *
1134  *	aes => aes-generic
1135  *	cbc(aes) => cbc(aes-generic)
1136  *	cts(cbc(aes)) => cts(cbc(aes-generic))
1137  *	rfc7539(chacha20,poly1305) => rfc7539(chacha20-generic,poly1305-generic)
1138  *
1139  * Return: 0 on success, or -ENAMETOOLONG if the generic name would be too long
1140  */
1141 static int build_generic_driver_name(const char *algname,
1142 				     char driver_name[CRYPTO_MAX_ALG_NAME])
1143 {
1144 	const char *in = algname;
1145 	char *out = driver_name;
1146 	size_t len = strlen(algname);
1147 
1148 	if (len >= CRYPTO_MAX_ALG_NAME)
1149 		goto too_long;
1150 	do {
1151 		const char *in_saved = in;
1152 
1153 		while (*in && *in != '(' && *in != ')' && *in != ',')
1154 			*out++ = *in++;
1155 		if (*in != '(' && in > in_saved) {
1156 			len += 8;
1157 			if (len >= CRYPTO_MAX_ALG_NAME)
1158 				goto too_long;
1159 			memcpy(out, "-generic", 8);
1160 			out += 8;
1161 		}
1162 	} while ((*out++ = *in++) != '\0');
1163 	return 0;
1164 
1165 too_long:
1166 	pr_err("alg: generic driver name for \"%s\" would be too long\n",
1167 	       algname);
1168 	return -ENAMETOOLONG;
1169 }
1170 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1171 static void crypto_disable_simd_for_test(void)
1172 {
1173 }
1174 
1175 static void crypto_reenable_simd_for_test(void)
1176 {
1177 }
1178 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1179 
1180 static int build_hash_sglist(struct test_sglist *tsgl,
1181 			     const struct hash_testvec *vec,
1182 			     const struct testvec_config *cfg,
1183 			     unsigned int alignmask,
1184 			     const struct test_sg_division *divs[XBUFSIZE])
1185 {
1186 	struct kvec kv;
1187 	struct iov_iter input;
1188 
1189 	kv.iov_base = (void *)vec->plaintext;
1190 	kv.iov_len = vec->psize;
1191 	iov_iter_kvec(&input, ITER_SOURCE, &kv, 1, vec->psize);
1192 	return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
1193 				 &input, divs);
1194 }
1195 
1196 static int check_hash_result(const char *type,
1197 			     const u8 *result, unsigned int digestsize,
1198 			     const struct hash_testvec *vec,
1199 			     const char *vec_name,
1200 			     const char *driver,
1201 			     const struct testvec_config *cfg)
1202 {
1203 	if (memcmp(result, vec->digest, digestsize) != 0) {
1204 		pr_err("alg: %s: %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
1205 		       type, driver, vec_name, cfg->name);
1206 		return -EINVAL;
1207 	}
1208 	if (!testmgr_is_poison(&result[digestsize], TESTMGR_POISON_LEN)) {
1209 		pr_err("alg: %s: %s overran result buffer on test vector %s, cfg=\"%s\"\n",
1210 		       type, driver, vec_name, cfg->name);
1211 		return -EOVERFLOW;
1212 	}
1213 	return 0;
1214 }
1215 
1216 static inline int check_shash_op(const char *op, int err,
1217 				 const char *driver, const char *vec_name,
1218 				 const struct testvec_config *cfg)
1219 {
1220 	if (err)
1221 		pr_err("alg: shash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1222 		       driver, op, err, vec_name, cfg->name);
1223 	return err;
1224 }
1225 
1226 /* Test one hash test vector in one configuration, using the shash API */
1227 static int test_shash_vec_cfg(const struct hash_testvec *vec,
1228 			      const char *vec_name,
1229 			      const struct testvec_config *cfg,
1230 			      struct shash_desc *desc,
1231 			      struct test_sglist *tsgl,
1232 			      u8 *hashstate)
1233 {
1234 	struct crypto_shash *tfm = desc->tfm;
1235 	const unsigned int alignmask = crypto_shash_alignmask(tfm);
1236 	const unsigned int digestsize = crypto_shash_digestsize(tfm);
1237 	const unsigned int statesize = crypto_shash_statesize(tfm);
1238 	const char *driver = crypto_shash_driver_name(tfm);
1239 	const struct test_sg_division *divs[XBUFSIZE];
1240 	unsigned int i;
1241 	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1242 	int err;
1243 
1244 	/* Set the key, if specified */
1245 	if (vec->ksize) {
1246 		err = do_setkey(crypto_shash_setkey, tfm, vec->key, vec->ksize,
1247 				cfg, alignmask);
1248 		if (err) {
1249 			if (err == vec->setkey_error)
1250 				return 0;
1251 			pr_err("alg: shash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1252 			       driver, vec_name, vec->setkey_error, err,
1253 			       crypto_shash_get_flags(tfm));
1254 			return err;
1255 		}
1256 		if (vec->setkey_error) {
1257 			pr_err("alg: shash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1258 			       driver, vec_name, vec->setkey_error);
1259 			return -EINVAL;
1260 		}
1261 	}
1262 
1263 	/* Build the scatterlist for the source data */
1264 	err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1265 	if (err) {
1266 		pr_err("alg: shash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1267 		       driver, vec_name, cfg->name);
1268 		return err;
1269 	}
1270 
1271 	/* Do the actual hashing */
1272 
1273 	testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1274 	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1275 
1276 	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1277 	    vec->digest_error) {
1278 		/* Just using digest() */
1279 		if (tsgl->nents != 1)
1280 			return 0;
1281 		if (cfg->nosimd)
1282 			crypto_disable_simd_for_test();
1283 		err = crypto_shash_digest(desc, sg_virt(&tsgl->sgl[0]),
1284 					  tsgl->sgl[0].length, result);
1285 		if (cfg->nosimd)
1286 			crypto_reenable_simd_for_test();
1287 		if (err) {
1288 			if (err == vec->digest_error)
1289 				return 0;
1290 			pr_err("alg: shash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1291 			       driver, vec_name, vec->digest_error, err,
1292 			       cfg->name);
1293 			return err;
1294 		}
1295 		if (vec->digest_error) {
1296 			pr_err("alg: shash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1297 			       driver, vec_name, vec->digest_error, cfg->name);
1298 			return -EINVAL;
1299 		}
1300 		goto result_ready;
1301 	}
1302 
1303 	/* Using init(), zero or more update(), then final() or finup() */
1304 
1305 	if (cfg->nosimd)
1306 		crypto_disable_simd_for_test();
1307 	err = crypto_shash_init(desc);
1308 	if (cfg->nosimd)
1309 		crypto_reenable_simd_for_test();
1310 	err = check_shash_op("init", err, driver, vec_name, cfg);
1311 	if (err)
1312 		return err;
1313 
1314 	for (i = 0; i < tsgl->nents; i++) {
1315 		if (i + 1 == tsgl->nents &&
1316 		    cfg->finalization_type == FINALIZATION_TYPE_FINUP) {
1317 			if (divs[i]->nosimd)
1318 				crypto_disable_simd_for_test();
1319 			err = crypto_shash_finup(desc, sg_virt(&tsgl->sgl[i]),
1320 						 tsgl->sgl[i].length, result);
1321 			if (divs[i]->nosimd)
1322 				crypto_reenable_simd_for_test();
1323 			err = check_shash_op("finup", err, driver, vec_name,
1324 					     cfg);
1325 			if (err)
1326 				return err;
1327 			goto result_ready;
1328 		}
1329 		if (divs[i]->nosimd)
1330 			crypto_disable_simd_for_test();
1331 		err = crypto_shash_update(desc, sg_virt(&tsgl->sgl[i]),
1332 					  tsgl->sgl[i].length);
1333 		if (divs[i]->nosimd)
1334 			crypto_reenable_simd_for_test();
1335 		err = check_shash_op("update", err, driver, vec_name, cfg);
1336 		if (err)
1337 			return err;
1338 		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1339 			/* Test ->export() and ->import() */
1340 			testmgr_poison(hashstate + statesize,
1341 				       TESTMGR_POISON_LEN);
1342 			err = crypto_shash_export(desc, hashstate);
1343 			err = check_shash_op("export", err, driver, vec_name,
1344 					     cfg);
1345 			if (err)
1346 				return err;
1347 			if (!testmgr_is_poison(hashstate + statesize,
1348 					       TESTMGR_POISON_LEN)) {
1349 				pr_err("alg: shash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1350 				       driver, vec_name, cfg->name);
1351 				return -EOVERFLOW;
1352 			}
1353 			testmgr_poison(desc->__ctx, crypto_shash_descsize(tfm));
1354 			err = crypto_shash_import(desc, hashstate);
1355 			err = check_shash_op("import", err, driver, vec_name,
1356 					     cfg);
1357 			if (err)
1358 				return err;
1359 		}
1360 	}
1361 
1362 	if (cfg->nosimd)
1363 		crypto_disable_simd_for_test();
1364 	err = crypto_shash_final(desc, result);
1365 	if (cfg->nosimd)
1366 		crypto_reenable_simd_for_test();
1367 	err = check_shash_op("final", err, driver, vec_name, cfg);
1368 	if (err)
1369 		return err;
1370 result_ready:
1371 	return check_hash_result("shash", result, digestsize, vec, vec_name,
1372 				 driver, cfg);
1373 }
1374 
1375 static int do_ahash_op(int (*op)(struct ahash_request *req),
1376 		       struct ahash_request *req,
1377 		       struct crypto_wait *wait, bool nosimd)
1378 {
1379 	int err;
1380 
1381 	if (nosimd)
1382 		crypto_disable_simd_for_test();
1383 
1384 	err = op(req);
1385 
1386 	if (nosimd)
1387 		crypto_reenable_simd_for_test();
1388 
1389 	return crypto_wait_req(err, wait);
1390 }
1391 
1392 static int check_nonfinal_ahash_op(const char *op, int err,
1393 				   u8 *result, unsigned int digestsize,
1394 				   const char *driver, const char *vec_name,
1395 				   const struct testvec_config *cfg)
1396 {
1397 	if (err) {
1398 		pr_err("alg: ahash: %s %s() failed with err %d on test vector %s, cfg=\"%s\"\n",
1399 		       driver, op, err, vec_name, cfg->name);
1400 		return err;
1401 	}
1402 	if (!testmgr_is_poison(result, digestsize)) {
1403 		pr_err("alg: ahash: %s %s() used result buffer on test vector %s, cfg=\"%s\"\n",
1404 		       driver, op, vec_name, cfg->name);
1405 		return -EINVAL;
1406 	}
1407 	return 0;
1408 }
1409 
1410 /* Test one hash test vector in one configuration, using the ahash API */
1411 static int test_ahash_vec_cfg(const struct hash_testvec *vec,
1412 			      const char *vec_name,
1413 			      const struct testvec_config *cfg,
1414 			      struct ahash_request *req,
1415 			      struct test_sglist *tsgl,
1416 			      u8 *hashstate)
1417 {
1418 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1419 	const unsigned int alignmask = crypto_ahash_alignmask(tfm);
1420 	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1421 	const unsigned int statesize = crypto_ahash_statesize(tfm);
1422 	const char *driver = crypto_ahash_driver_name(tfm);
1423 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1424 	const struct test_sg_division *divs[XBUFSIZE];
1425 	DECLARE_CRYPTO_WAIT(wait);
1426 	unsigned int i;
1427 	struct scatterlist *pending_sgl;
1428 	unsigned int pending_len;
1429 	u8 result[HASH_MAX_DIGESTSIZE + TESTMGR_POISON_LEN];
1430 	int err;
1431 
1432 	/* Set the key, if specified */
1433 	if (vec->ksize) {
1434 		err = do_setkey(crypto_ahash_setkey, tfm, vec->key, vec->ksize,
1435 				cfg, alignmask);
1436 		if (err) {
1437 			if (err == vec->setkey_error)
1438 				return 0;
1439 			pr_err("alg: ahash: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
1440 			       driver, vec_name, vec->setkey_error, err,
1441 			       crypto_ahash_get_flags(tfm));
1442 			return err;
1443 		}
1444 		if (vec->setkey_error) {
1445 			pr_err("alg: ahash: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
1446 			       driver, vec_name, vec->setkey_error);
1447 			return -EINVAL;
1448 		}
1449 	}
1450 
1451 	/* Build the scatterlist for the source data */
1452 	err = build_hash_sglist(tsgl, vec, cfg, alignmask, divs);
1453 	if (err) {
1454 		pr_err("alg: ahash: %s: error preparing scatterlist for test vector %s, cfg=\"%s\"\n",
1455 		       driver, vec_name, cfg->name);
1456 		return err;
1457 	}
1458 
1459 	/* Do the actual hashing */
1460 
1461 	testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1462 	testmgr_poison(result, digestsize + TESTMGR_POISON_LEN);
1463 
1464 	if (cfg->finalization_type == FINALIZATION_TYPE_DIGEST ||
1465 	    vec->digest_error) {
1466 		/* Just using digest() */
1467 		ahash_request_set_callback(req, req_flags, crypto_req_done,
1468 					   &wait);
1469 		ahash_request_set_crypt(req, tsgl->sgl, result, vec->psize);
1470 		err = do_ahash_op(crypto_ahash_digest, req, &wait, cfg->nosimd);
1471 		if (err) {
1472 			if (err == vec->digest_error)
1473 				return 0;
1474 			pr_err("alg: ahash: %s digest() failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
1475 			       driver, vec_name, vec->digest_error, err,
1476 			       cfg->name);
1477 			return err;
1478 		}
1479 		if (vec->digest_error) {
1480 			pr_err("alg: ahash: %s digest() unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
1481 			       driver, vec_name, vec->digest_error, cfg->name);
1482 			return -EINVAL;
1483 		}
1484 		goto result_ready;
1485 	}
1486 
1487 	/* Using init(), zero or more update(), then final() or finup() */
1488 
1489 	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1490 	ahash_request_set_crypt(req, NULL, result, 0);
1491 	err = do_ahash_op(crypto_ahash_init, req, &wait, cfg->nosimd);
1492 	err = check_nonfinal_ahash_op("init", err, result, digestsize,
1493 				      driver, vec_name, cfg);
1494 	if (err)
1495 		return err;
1496 
1497 	pending_sgl = NULL;
1498 	pending_len = 0;
1499 	for (i = 0; i < tsgl->nents; i++) {
1500 		if (divs[i]->flush_type != FLUSH_TYPE_NONE &&
1501 		    pending_sgl != NULL) {
1502 			/* update() with the pending data */
1503 			ahash_request_set_callback(req, req_flags,
1504 						   crypto_req_done, &wait);
1505 			ahash_request_set_crypt(req, pending_sgl, result,
1506 						pending_len);
1507 			err = do_ahash_op(crypto_ahash_update, req, &wait,
1508 					  divs[i]->nosimd);
1509 			err = check_nonfinal_ahash_op("update", err,
1510 						      result, digestsize,
1511 						      driver, vec_name, cfg);
1512 			if (err)
1513 				return err;
1514 			pending_sgl = NULL;
1515 			pending_len = 0;
1516 		}
1517 		if (divs[i]->flush_type == FLUSH_TYPE_REIMPORT) {
1518 			/* Test ->export() and ->import() */
1519 			testmgr_poison(hashstate + statesize,
1520 				       TESTMGR_POISON_LEN);
1521 			err = crypto_ahash_export(req, hashstate);
1522 			err = check_nonfinal_ahash_op("export", err,
1523 						      result, digestsize,
1524 						      driver, vec_name, cfg);
1525 			if (err)
1526 				return err;
1527 			if (!testmgr_is_poison(hashstate + statesize,
1528 					       TESTMGR_POISON_LEN)) {
1529 				pr_err("alg: ahash: %s export() overran state buffer on test vector %s, cfg=\"%s\"\n",
1530 				       driver, vec_name, cfg->name);
1531 				return -EOVERFLOW;
1532 			}
1533 
1534 			testmgr_poison(req->__ctx, crypto_ahash_reqsize(tfm));
1535 			err = crypto_ahash_import(req, hashstate);
1536 			err = check_nonfinal_ahash_op("import", err,
1537 						      result, digestsize,
1538 						      driver, vec_name, cfg);
1539 			if (err)
1540 				return err;
1541 		}
1542 		if (pending_sgl == NULL)
1543 			pending_sgl = &tsgl->sgl[i];
1544 		pending_len += tsgl->sgl[i].length;
1545 	}
1546 
1547 	ahash_request_set_callback(req, req_flags, crypto_req_done, &wait);
1548 	ahash_request_set_crypt(req, pending_sgl, result, pending_len);
1549 	if (cfg->finalization_type == FINALIZATION_TYPE_FINAL) {
1550 		/* finish with update() and final() */
1551 		err = do_ahash_op(crypto_ahash_update, req, &wait, cfg->nosimd);
1552 		err = check_nonfinal_ahash_op("update", err, result, digestsize,
1553 					      driver, vec_name, cfg);
1554 		if (err)
1555 			return err;
1556 		err = do_ahash_op(crypto_ahash_final, req, &wait, cfg->nosimd);
1557 		if (err) {
1558 			pr_err("alg: ahash: %s final() failed with err %d on test vector %s, cfg=\"%s\"\n",
1559 			       driver, err, vec_name, cfg->name);
1560 			return err;
1561 		}
1562 	} else {
1563 		/* finish with finup() */
1564 		err = do_ahash_op(crypto_ahash_finup, req, &wait, cfg->nosimd);
1565 		if (err) {
1566 			pr_err("alg: ahash: %s finup() failed with err %d on test vector %s, cfg=\"%s\"\n",
1567 			       driver, err, vec_name, cfg->name);
1568 			return err;
1569 		}
1570 	}
1571 
1572 result_ready:
1573 	return check_hash_result("ahash", result, digestsize, vec, vec_name,
1574 				 driver, cfg);
1575 }
1576 
1577 static int test_hash_vec_cfg(const struct hash_testvec *vec,
1578 			     const char *vec_name,
1579 			     const struct testvec_config *cfg,
1580 			     struct ahash_request *req,
1581 			     struct shash_desc *desc,
1582 			     struct test_sglist *tsgl,
1583 			     u8 *hashstate)
1584 {
1585 	int err;
1586 
1587 	/*
1588 	 * For algorithms implemented as "shash", most bugs will be detected by
1589 	 * both the shash and ahash tests.  Test the shash API first so that the
1590 	 * failures involve less indirection, so are easier to debug.
1591 	 */
1592 
1593 	if (desc) {
1594 		err = test_shash_vec_cfg(vec, vec_name, cfg, desc, tsgl,
1595 					 hashstate);
1596 		if (err)
1597 			return err;
1598 	}
1599 
1600 	return test_ahash_vec_cfg(vec, vec_name, cfg, req, tsgl, hashstate);
1601 }
1602 
1603 static int test_hash_vec(const struct hash_testvec *vec, unsigned int vec_num,
1604 			 struct ahash_request *req, struct shash_desc *desc,
1605 			 struct test_sglist *tsgl, u8 *hashstate)
1606 {
1607 	char vec_name[16];
1608 	unsigned int i;
1609 	int err;
1610 
1611 	sprintf(vec_name, "%u", vec_num);
1612 
1613 	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++) {
1614 		err = test_hash_vec_cfg(vec, vec_name,
1615 					&default_hash_testvec_configs[i],
1616 					req, desc, tsgl, hashstate);
1617 		if (err)
1618 			return err;
1619 	}
1620 
1621 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1622 	if (!noextratests) {
1623 		struct testvec_config cfg;
1624 		char cfgname[TESTVEC_CONFIG_NAMELEN];
1625 
1626 		for (i = 0; i < fuzz_iterations; i++) {
1627 			generate_random_testvec_config(&cfg, cfgname,
1628 						       sizeof(cfgname));
1629 			err = test_hash_vec_cfg(vec, vec_name, &cfg,
1630 						req, desc, tsgl, hashstate);
1631 			if (err)
1632 				return err;
1633 			cond_resched();
1634 		}
1635 	}
1636 #endif
1637 	return 0;
1638 }
1639 
1640 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
1641 /*
1642  * Generate a hash test vector from the given implementation.
1643  * Assumes the buffers in 'vec' were already allocated.
1644  */
1645 static void generate_random_hash_testvec(struct shash_desc *desc,
1646 					 struct hash_testvec *vec,
1647 					 unsigned int maxkeysize,
1648 					 unsigned int maxdatasize,
1649 					 char *name, size_t max_namelen)
1650 {
1651 	/* Data */
1652 	vec->psize = generate_random_length(maxdatasize);
1653 	generate_random_bytes((u8 *)vec->plaintext, vec->psize);
1654 
1655 	/*
1656 	 * Key: length in range [1, maxkeysize], but usually choose maxkeysize.
1657 	 * If algorithm is unkeyed, then maxkeysize == 0 and set ksize = 0.
1658 	 */
1659 	vec->setkey_error = 0;
1660 	vec->ksize = 0;
1661 	if (maxkeysize) {
1662 		vec->ksize = maxkeysize;
1663 		if (get_random_u32_below(4) == 0)
1664 			vec->ksize = get_random_u32_inclusive(1, maxkeysize);
1665 		generate_random_bytes((u8 *)vec->key, vec->ksize);
1666 
1667 		vec->setkey_error = crypto_shash_setkey(desc->tfm, vec->key,
1668 							vec->ksize);
1669 		/* If the key couldn't be set, no need to continue to digest. */
1670 		if (vec->setkey_error)
1671 			goto done;
1672 	}
1673 
1674 	/* Digest */
1675 	vec->digest_error = crypto_shash_digest(desc, vec->plaintext,
1676 						vec->psize, (u8 *)vec->digest);
1677 done:
1678 	snprintf(name, max_namelen, "\"random: psize=%u ksize=%u\"",
1679 		 vec->psize, vec->ksize);
1680 }
1681 
1682 /*
1683  * Test the hash algorithm represented by @req against the corresponding generic
1684  * implementation, if one is available.
1685  */
1686 static int test_hash_vs_generic_impl(const char *generic_driver,
1687 				     unsigned int maxkeysize,
1688 				     struct ahash_request *req,
1689 				     struct shash_desc *desc,
1690 				     struct test_sglist *tsgl,
1691 				     u8 *hashstate)
1692 {
1693 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1694 	const unsigned int digestsize = crypto_ahash_digestsize(tfm);
1695 	const unsigned int blocksize = crypto_ahash_blocksize(tfm);
1696 	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
1697 	const char *algname = crypto_hash_alg_common(tfm)->base.cra_name;
1698 	const char *driver = crypto_ahash_driver_name(tfm);
1699 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
1700 	struct crypto_shash *generic_tfm = NULL;
1701 	struct shash_desc *generic_desc = NULL;
1702 	unsigned int i;
1703 	struct hash_testvec vec = { 0 };
1704 	char vec_name[64];
1705 	struct testvec_config *cfg;
1706 	char cfgname[TESTVEC_CONFIG_NAMELEN];
1707 	int err;
1708 
1709 	if (noextratests)
1710 		return 0;
1711 
1712 	if (!generic_driver) { /* Use default naming convention? */
1713 		err = build_generic_driver_name(algname, _generic_driver);
1714 		if (err)
1715 			return err;
1716 		generic_driver = _generic_driver;
1717 	}
1718 
1719 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
1720 		return 0;
1721 
1722 	generic_tfm = crypto_alloc_shash(generic_driver, 0, 0);
1723 	if (IS_ERR(generic_tfm)) {
1724 		err = PTR_ERR(generic_tfm);
1725 		if (err == -ENOENT) {
1726 			pr_warn("alg: hash: skipping comparison tests for %s because %s is unavailable\n",
1727 				driver, generic_driver);
1728 			return 0;
1729 		}
1730 		pr_err("alg: hash: error allocating %s (generic impl of %s): %d\n",
1731 		       generic_driver, algname, err);
1732 		return err;
1733 	}
1734 
1735 	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
1736 	if (!cfg) {
1737 		err = -ENOMEM;
1738 		goto out;
1739 	}
1740 
1741 	generic_desc = kzalloc(sizeof(*desc) +
1742 			       crypto_shash_descsize(generic_tfm), GFP_KERNEL);
1743 	if (!generic_desc) {
1744 		err = -ENOMEM;
1745 		goto out;
1746 	}
1747 	generic_desc->tfm = generic_tfm;
1748 
1749 	/* Check the algorithm properties for consistency. */
1750 
1751 	if (digestsize != crypto_shash_digestsize(generic_tfm)) {
1752 		pr_err("alg: hash: digestsize for %s (%u) doesn't match generic impl (%u)\n",
1753 		       driver, digestsize,
1754 		       crypto_shash_digestsize(generic_tfm));
1755 		err = -EINVAL;
1756 		goto out;
1757 	}
1758 
1759 	if (blocksize != crypto_shash_blocksize(generic_tfm)) {
1760 		pr_err("alg: hash: blocksize for %s (%u) doesn't match generic impl (%u)\n",
1761 		       driver, blocksize, crypto_shash_blocksize(generic_tfm));
1762 		err = -EINVAL;
1763 		goto out;
1764 	}
1765 
1766 	/*
1767 	 * Now generate test vectors using the generic implementation, and test
1768 	 * the other implementation against them.
1769 	 */
1770 
1771 	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
1772 	vec.plaintext = kmalloc(maxdatasize, GFP_KERNEL);
1773 	vec.digest = kmalloc(digestsize, GFP_KERNEL);
1774 	if (!vec.key || !vec.plaintext || !vec.digest) {
1775 		err = -ENOMEM;
1776 		goto out;
1777 	}
1778 
1779 	for (i = 0; i < fuzz_iterations * 8; i++) {
1780 		generate_random_hash_testvec(generic_desc, &vec,
1781 					     maxkeysize, maxdatasize,
1782 					     vec_name, sizeof(vec_name));
1783 		generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
1784 
1785 		err = test_hash_vec_cfg(&vec, vec_name, cfg,
1786 					req, desc, tsgl, hashstate);
1787 		if (err)
1788 			goto out;
1789 		cond_resched();
1790 	}
1791 	err = 0;
1792 out:
1793 	kfree(cfg);
1794 	kfree(vec.key);
1795 	kfree(vec.plaintext);
1796 	kfree(vec.digest);
1797 	crypto_free_shash(generic_tfm);
1798 	kfree_sensitive(generic_desc);
1799 	return err;
1800 }
1801 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1802 static int test_hash_vs_generic_impl(const char *generic_driver,
1803 				     unsigned int maxkeysize,
1804 				     struct ahash_request *req,
1805 				     struct shash_desc *desc,
1806 				     struct test_sglist *tsgl,
1807 				     u8 *hashstate)
1808 {
1809 	return 0;
1810 }
1811 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
1812 
1813 static int alloc_shash(const char *driver, u32 type, u32 mask,
1814 		       struct crypto_shash **tfm_ret,
1815 		       struct shash_desc **desc_ret)
1816 {
1817 	struct crypto_shash *tfm;
1818 	struct shash_desc *desc;
1819 
1820 	tfm = crypto_alloc_shash(driver, type, mask);
1821 	if (IS_ERR(tfm)) {
1822 		if (PTR_ERR(tfm) == -ENOENT) {
1823 			/*
1824 			 * This algorithm is only available through the ahash
1825 			 * API, not the shash API, so skip the shash tests.
1826 			 */
1827 			return 0;
1828 		}
1829 		pr_err("alg: hash: failed to allocate shash transform for %s: %ld\n",
1830 		       driver, PTR_ERR(tfm));
1831 		return PTR_ERR(tfm);
1832 	}
1833 
1834 	desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL);
1835 	if (!desc) {
1836 		crypto_free_shash(tfm);
1837 		return -ENOMEM;
1838 	}
1839 	desc->tfm = tfm;
1840 
1841 	*tfm_ret = tfm;
1842 	*desc_ret = desc;
1843 	return 0;
1844 }
1845 
1846 static int __alg_test_hash(const struct hash_testvec *vecs,
1847 			   unsigned int num_vecs, const char *driver,
1848 			   u32 type, u32 mask,
1849 			   const char *generic_driver, unsigned int maxkeysize)
1850 {
1851 	struct crypto_ahash *atfm = NULL;
1852 	struct ahash_request *req = NULL;
1853 	struct crypto_shash *stfm = NULL;
1854 	struct shash_desc *desc = NULL;
1855 	struct test_sglist *tsgl = NULL;
1856 	u8 *hashstate = NULL;
1857 	unsigned int statesize;
1858 	unsigned int i;
1859 	int err;
1860 
1861 	/*
1862 	 * Always test the ahash API.  This works regardless of whether the
1863 	 * algorithm is implemented as ahash or shash.
1864 	 */
1865 
1866 	atfm = crypto_alloc_ahash(driver, type, mask);
1867 	if (IS_ERR(atfm)) {
1868 		pr_err("alg: hash: failed to allocate transform for %s: %ld\n",
1869 		       driver, PTR_ERR(atfm));
1870 		return PTR_ERR(atfm);
1871 	}
1872 	driver = crypto_ahash_driver_name(atfm);
1873 
1874 	req = ahash_request_alloc(atfm, GFP_KERNEL);
1875 	if (!req) {
1876 		pr_err("alg: hash: failed to allocate request for %s\n",
1877 		       driver);
1878 		err = -ENOMEM;
1879 		goto out;
1880 	}
1881 
1882 	/*
1883 	 * If available also test the shash API, to cover corner cases that may
1884 	 * be missed by testing the ahash API only.
1885 	 */
1886 	err = alloc_shash(driver, type, mask, &stfm, &desc);
1887 	if (err)
1888 		goto out;
1889 
1890 	tsgl = kmalloc(sizeof(*tsgl), GFP_KERNEL);
1891 	if (!tsgl || init_test_sglist(tsgl) != 0) {
1892 		pr_err("alg: hash: failed to allocate test buffers for %s\n",
1893 		       driver);
1894 		kfree(tsgl);
1895 		tsgl = NULL;
1896 		err = -ENOMEM;
1897 		goto out;
1898 	}
1899 
1900 	statesize = crypto_ahash_statesize(atfm);
1901 	if (stfm)
1902 		statesize = max(statesize, crypto_shash_statesize(stfm));
1903 	hashstate = kmalloc(statesize + TESTMGR_POISON_LEN, GFP_KERNEL);
1904 	if (!hashstate) {
1905 		pr_err("alg: hash: failed to allocate hash state buffer for %s\n",
1906 		       driver);
1907 		err = -ENOMEM;
1908 		goto out;
1909 	}
1910 
1911 	for (i = 0; i < num_vecs; i++) {
1912 		if (fips_enabled && vecs[i].fips_skip)
1913 			continue;
1914 
1915 		err = test_hash_vec(&vecs[i], i, req, desc, tsgl, hashstate);
1916 		if (err)
1917 			goto out;
1918 		cond_resched();
1919 	}
1920 	err = test_hash_vs_generic_impl(generic_driver, maxkeysize, req,
1921 					desc, tsgl, hashstate);
1922 out:
1923 	kfree(hashstate);
1924 	if (tsgl) {
1925 		destroy_test_sglist(tsgl);
1926 		kfree(tsgl);
1927 	}
1928 	kfree(desc);
1929 	crypto_free_shash(stfm);
1930 	ahash_request_free(req);
1931 	crypto_free_ahash(atfm);
1932 	return err;
1933 }
1934 
1935 static int alg_test_hash(const struct alg_test_desc *desc, const char *driver,
1936 			 u32 type, u32 mask)
1937 {
1938 	const struct hash_testvec *template = desc->suite.hash.vecs;
1939 	unsigned int tcount = desc->suite.hash.count;
1940 	unsigned int nr_unkeyed, nr_keyed;
1941 	unsigned int maxkeysize = 0;
1942 	int err;
1943 
1944 	/*
1945 	 * For OPTIONAL_KEY algorithms, we have to do all the unkeyed tests
1946 	 * first, before setting a key on the tfm.  To make this easier, we
1947 	 * require that the unkeyed test vectors (if any) are listed first.
1948 	 */
1949 
1950 	for (nr_unkeyed = 0; nr_unkeyed < tcount; nr_unkeyed++) {
1951 		if (template[nr_unkeyed].ksize)
1952 			break;
1953 	}
1954 	for (nr_keyed = 0; nr_unkeyed + nr_keyed < tcount; nr_keyed++) {
1955 		if (!template[nr_unkeyed + nr_keyed].ksize) {
1956 			pr_err("alg: hash: test vectors for %s out of order, "
1957 			       "unkeyed ones must come first\n", desc->alg);
1958 			return -EINVAL;
1959 		}
1960 		maxkeysize = max_t(unsigned int, maxkeysize,
1961 				   template[nr_unkeyed + nr_keyed].ksize);
1962 	}
1963 
1964 	err = 0;
1965 	if (nr_unkeyed) {
1966 		err = __alg_test_hash(template, nr_unkeyed, driver, type, mask,
1967 				      desc->generic_driver, maxkeysize);
1968 		template += nr_unkeyed;
1969 	}
1970 
1971 	if (!err && nr_keyed)
1972 		err = __alg_test_hash(template, nr_keyed, driver, type, mask,
1973 				      desc->generic_driver, maxkeysize);
1974 
1975 	return err;
1976 }
1977 
1978 static int test_aead_vec_cfg(int enc, const struct aead_testvec *vec,
1979 			     const char *vec_name,
1980 			     const struct testvec_config *cfg,
1981 			     struct aead_request *req,
1982 			     struct cipher_test_sglists *tsgls)
1983 {
1984 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
1985 	const unsigned int alignmask = crypto_aead_alignmask(tfm);
1986 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
1987 	const unsigned int authsize = vec->clen - vec->plen;
1988 	const char *driver = crypto_aead_driver_name(tfm);
1989 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
1990 	const char *op = enc ? "encryption" : "decryption";
1991 	DECLARE_CRYPTO_WAIT(wait);
1992 	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
1993 	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
1994 		 cfg->iv_offset +
1995 		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
1996 	struct kvec input[2];
1997 	int err;
1998 
1999 	/* Set the key */
2000 	if (vec->wk)
2001 		crypto_aead_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2002 	else
2003 		crypto_aead_clear_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2004 
2005 	err = do_setkey(crypto_aead_setkey, tfm, vec->key, vec->klen,
2006 			cfg, alignmask);
2007 	if (err && err != vec->setkey_error) {
2008 		pr_err("alg: aead: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2009 		       driver, vec_name, vec->setkey_error, err,
2010 		       crypto_aead_get_flags(tfm));
2011 		return err;
2012 	}
2013 	if (!err && vec->setkey_error) {
2014 		pr_err("alg: aead: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2015 		       driver, vec_name, vec->setkey_error);
2016 		return -EINVAL;
2017 	}
2018 
2019 	/* Set the authentication tag size */
2020 	err = crypto_aead_setauthsize(tfm, authsize);
2021 	if (err && err != vec->setauthsize_error) {
2022 		pr_err("alg: aead: %s setauthsize failed on test vector %s; expected_error=%d, actual_error=%d\n",
2023 		       driver, vec_name, vec->setauthsize_error, err);
2024 		return err;
2025 	}
2026 	if (!err && vec->setauthsize_error) {
2027 		pr_err("alg: aead: %s setauthsize unexpectedly succeeded on test vector %s; expected_error=%d\n",
2028 		       driver, vec_name, vec->setauthsize_error);
2029 		return -EINVAL;
2030 	}
2031 
2032 	if (vec->setkey_error || vec->setauthsize_error)
2033 		return 0;
2034 
2035 	/* The IV must be copied to a buffer, as the algorithm may modify it */
2036 	if (WARN_ON(ivsize > MAX_IVLEN))
2037 		return -EINVAL;
2038 	if (vec->iv)
2039 		memcpy(iv, vec->iv, ivsize);
2040 	else
2041 		memset(iv, 0, ivsize);
2042 
2043 	/* Build the src/dst scatterlists */
2044 	input[0].iov_base = (void *)vec->assoc;
2045 	input[0].iov_len = vec->alen;
2046 	input[1].iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2047 	input[1].iov_len = enc ? vec->plen : vec->clen;
2048 	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2049 					vec->alen + (enc ? vec->plen :
2050 						     vec->clen),
2051 					vec->alen + (enc ? vec->clen :
2052 						     vec->plen),
2053 					input, 2);
2054 	if (err) {
2055 		pr_err("alg: aead: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2056 		       driver, op, vec_name, cfg->name);
2057 		return err;
2058 	}
2059 
2060 	/* Do the actual encryption or decryption */
2061 	testmgr_poison(req->__ctx, crypto_aead_reqsize(tfm));
2062 	aead_request_set_callback(req, req_flags, crypto_req_done, &wait);
2063 	aead_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2064 			       enc ? vec->plen : vec->clen, iv);
2065 	aead_request_set_ad(req, vec->alen);
2066 	if (cfg->nosimd)
2067 		crypto_disable_simd_for_test();
2068 	err = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
2069 	if (cfg->nosimd)
2070 		crypto_reenable_simd_for_test();
2071 	err = crypto_wait_req(err, &wait);
2072 
2073 	/* Check that the algorithm didn't overwrite things it shouldn't have */
2074 	if (req->cryptlen != (enc ? vec->plen : vec->clen) ||
2075 	    req->assoclen != vec->alen ||
2076 	    req->iv != iv ||
2077 	    req->src != tsgls->src.sgl_ptr ||
2078 	    req->dst != tsgls->dst.sgl_ptr ||
2079 	    crypto_aead_reqtfm(req) != tfm ||
2080 	    req->base.complete != crypto_req_done ||
2081 	    req->base.flags != req_flags ||
2082 	    req->base.data != &wait) {
2083 		pr_err("alg: aead: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2084 		       driver, op, vec_name, cfg->name);
2085 		if (req->cryptlen != (enc ? vec->plen : vec->clen))
2086 			pr_err("alg: aead: changed 'req->cryptlen'\n");
2087 		if (req->assoclen != vec->alen)
2088 			pr_err("alg: aead: changed 'req->assoclen'\n");
2089 		if (req->iv != iv)
2090 			pr_err("alg: aead: changed 'req->iv'\n");
2091 		if (req->src != tsgls->src.sgl_ptr)
2092 			pr_err("alg: aead: changed 'req->src'\n");
2093 		if (req->dst != tsgls->dst.sgl_ptr)
2094 			pr_err("alg: aead: changed 'req->dst'\n");
2095 		if (crypto_aead_reqtfm(req) != tfm)
2096 			pr_err("alg: aead: changed 'req->base.tfm'\n");
2097 		if (req->base.complete != crypto_req_done)
2098 			pr_err("alg: aead: changed 'req->base.complete'\n");
2099 		if (req->base.flags != req_flags)
2100 			pr_err("alg: aead: changed 'req->base.flags'\n");
2101 		if (req->base.data != &wait)
2102 			pr_err("alg: aead: changed 'req->base.data'\n");
2103 		return -EINVAL;
2104 	}
2105 	if (is_test_sglist_corrupted(&tsgls->src)) {
2106 		pr_err("alg: aead: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2107 		       driver, op, vec_name, cfg->name);
2108 		return -EINVAL;
2109 	}
2110 	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2111 	    is_test_sglist_corrupted(&tsgls->dst)) {
2112 		pr_err("alg: aead: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2113 		       driver, op, vec_name, cfg->name);
2114 		return -EINVAL;
2115 	}
2116 
2117 	/* Check for unexpected success or failure, or wrong error code */
2118 	if ((err == 0 && vec->novrfy) ||
2119 	    (err != vec->crypt_error && !(err == -EBADMSG && vec->novrfy))) {
2120 		char expected_error[32];
2121 
2122 		if (vec->novrfy &&
2123 		    vec->crypt_error != 0 && vec->crypt_error != -EBADMSG)
2124 			sprintf(expected_error, "-EBADMSG or %d",
2125 				vec->crypt_error);
2126 		else if (vec->novrfy)
2127 			sprintf(expected_error, "-EBADMSG");
2128 		else
2129 			sprintf(expected_error, "%d", vec->crypt_error);
2130 		if (err) {
2131 			pr_err("alg: aead: %s %s failed on test vector %s; expected_error=%s, actual_error=%d, cfg=\"%s\"\n",
2132 			       driver, op, vec_name, expected_error, err,
2133 			       cfg->name);
2134 			return err;
2135 		}
2136 		pr_err("alg: aead: %s %s unexpectedly succeeded on test vector %s; expected_error=%s, cfg=\"%s\"\n",
2137 		       driver, op, vec_name, expected_error, cfg->name);
2138 		return -EINVAL;
2139 	}
2140 	if (err) /* Expectedly failed. */
2141 		return 0;
2142 
2143 	/* Check for the correct output (ciphertext or plaintext) */
2144 	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2145 				    enc ? vec->clen : vec->plen,
2146 				    vec->alen,
2147 				    enc || cfg->inplace_mode == OUT_OF_PLACE);
2148 	if (err == -EOVERFLOW) {
2149 		pr_err("alg: aead: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2150 		       driver, op, vec_name, cfg->name);
2151 		return err;
2152 	}
2153 	if (err) {
2154 		pr_err("alg: aead: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2155 		       driver, op, vec_name, cfg->name);
2156 		return err;
2157 	}
2158 
2159 	return 0;
2160 }
2161 
2162 static int test_aead_vec(int enc, const struct aead_testvec *vec,
2163 			 unsigned int vec_num, struct aead_request *req,
2164 			 struct cipher_test_sglists *tsgls)
2165 {
2166 	char vec_name[16];
2167 	unsigned int i;
2168 	int err;
2169 
2170 	if (enc && vec->novrfy)
2171 		return 0;
2172 
2173 	sprintf(vec_name, "%u", vec_num);
2174 
2175 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2176 		err = test_aead_vec_cfg(enc, vec, vec_name,
2177 					&default_cipher_testvec_configs[i],
2178 					req, tsgls);
2179 		if (err)
2180 			return err;
2181 	}
2182 
2183 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2184 	if (!noextratests) {
2185 		struct testvec_config cfg;
2186 		char cfgname[TESTVEC_CONFIG_NAMELEN];
2187 
2188 		for (i = 0; i < fuzz_iterations; i++) {
2189 			generate_random_testvec_config(&cfg, cfgname,
2190 						       sizeof(cfgname));
2191 			err = test_aead_vec_cfg(enc, vec, vec_name,
2192 						&cfg, req, tsgls);
2193 			if (err)
2194 				return err;
2195 			cond_resched();
2196 		}
2197 	}
2198 #endif
2199 	return 0;
2200 }
2201 
2202 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2203 
2204 struct aead_extra_tests_ctx {
2205 	struct aead_request *req;
2206 	struct crypto_aead *tfm;
2207 	const struct alg_test_desc *test_desc;
2208 	struct cipher_test_sglists *tsgls;
2209 	unsigned int maxdatasize;
2210 	unsigned int maxkeysize;
2211 
2212 	struct aead_testvec vec;
2213 	char vec_name[64];
2214 	char cfgname[TESTVEC_CONFIG_NAMELEN];
2215 	struct testvec_config cfg;
2216 };
2217 
2218 /*
2219  * Make at least one random change to a (ciphertext, AAD) pair.  "Ciphertext"
2220  * here means the full ciphertext including the authentication tag.  The
2221  * authentication tag (and hence also the ciphertext) is assumed to be nonempty.
2222  */
2223 static void mutate_aead_message(struct aead_testvec *vec, bool aad_iv,
2224 				unsigned int ivsize)
2225 {
2226 	const unsigned int aad_tail_size = aad_iv ? ivsize : 0;
2227 	const unsigned int authsize = vec->clen - vec->plen;
2228 
2229 	if (get_random_u32_below(2) == 0 && vec->alen > aad_tail_size) {
2230 		 /* Mutate the AAD */
2231 		flip_random_bit((u8 *)vec->assoc, vec->alen - aad_tail_size);
2232 		if (get_random_u32_below(2) == 0)
2233 			return;
2234 	}
2235 	if (get_random_u32_below(2) == 0) {
2236 		/* Mutate auth tag (assuming it's at the end of ciphertext) */
2237 		flip_random_bit((u8 *)vec->ctext + vec->plen, authsize);
2238 	} else {
2239 		/* Mutate any part of the ciphertext */
2240 		flip_random_bit((u8 *)vec->ctext, vec->clen);
2241 	}
2242 }
2243 
2244 /*
2245  * Minimum authentication tag size in bytes at which we assume that we can
2246  * reliably generate inauthentic messages, i.e. not generate an authentic
2247  * message by chance.
2248  */
2249 #define MIN_COLLISION_FREE_AUTHSIZE 8
2250 
2251 static void generate_aead_message(struct aead_request *req,
2252 				  const struct aead_test_suite *suite,
2253 				  struct aead_testvec *vec,
2254 				  bool prefer_inauthentic)
2255 {
2256 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2257 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2258 	const unsigned int authsize = vec->clen - vec->plen;
2259 	const bool inauthentic = (authsize >= MIN_COLLISION_FREE_AUTHSIZE) &&
2260 				 (prefer_inauthentic || get_random_u32_below(4) == 0);
2261 
2262 	/* Generate the AAD. */
2263 	generate_random_bytes((u8 *)vec->assoc, vec->alen);
2264 	if (suite->aad_iv && vec->alen >= ivsize)
2265 		/* Avoid implementation-defined behavior. */
2266 		memcpy((u8 *)vec->assoc + vec->alen - ivsize, vec->iv, ivsize);
2267 
2268 	if (inauthentic && get_random_u32_below(2) == 0) {
2269 		/* Generate a random ciphertext. */
2270 		generate_random_bytes((u8 *)vec->ctext, vec->clen);
2271 	} else {
2272 		int i = 0;
2273 		struct scatterlist src[2], dst;
2274 		u8 iv[MAX_IVLEN];
2275 		DECLARE_CRYPTO_WAIT(wait);
2276 
2277 		/* Generate a random plaintext and encrypt it. */
2278 		sg_init_table(src, 2);
2279 		if (vec->alen)
2280 			sg_set_buf(&src[i++], vec->assoc, vec->alen);
2281 		if (vec->plen) {
2282 			generate_random_bytes((u8 *)vec->ptext, vec->plen);
2283 			sg_set_buf(&src[i++], vec->ptext, vec->plen);
2284 		}
2285 		sg_init_one(&dst, vec->ctext, vec->alen + vec->clen);
2286 		memcpy(iv, vec->iv, ivsize);
2287 		aead_request_set_callback(req, 0, crypto_req_done, &wait);
2288 		aead_request_set_crypt(req, src, &dst, vec->plen, iv);
2289 		aead_request_set_ad(req, vec->alen);
2290 		vec->crypt_error = crypto_wait_req(crypto_aead_encrypt(req),
2291 						   &wait);
2292 		/* If encryption failed, we're done. */
2293 		if (vec->crypt_error != 0)
2294 			return;
2295 		memmove((u8 *)vec->ctext, vec->ctext + vec->alen, vec->clen);
2296 		if (!inauthentic)
2297 			return;
2298 		/*
2299 		 * Mutate the authentic (ciphertext, AAD) pair to get an
2300 		 * inauthentic one.
2301 		 */
2302 		mutate_aead_message(vec, suite->aad_iv, ivsize);
2303 	}
2304 	vec->novrfy = 1;
2305 	if (suite->einval_allowed)
2306 		vec->crypt_error = -EINVAL;
2307 }
2308 
2309 /*
2310  * Generate an AEAD test vector 'vec' using the implementation specified by
2311  * 'req'.  The buffers in 'vec' must already be allocated.
2312  *
2313  * If 'prefer_inauthentic' is true, then this function will generate inauthentic
2314  * test vectors (i.e. vectors with 'vec->novrfy=1') more often.
2315  */
2316 static void generate_random_aead_testvec(struct aead_request *req,
2317 					 struct aead_testvec *vec,
2318 					 const struct aead_test_suite *suite,
2319 					 unsigned int maxkeysize,
2320 					 unsigned int maxdatasize,
2321 					 char *name, size_t max_namelen,
2322 					 bool prefer_inauthentic)
2323 {
2324 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
2325 	const unsigned int ivsize = crypto_aead_ivsize(tfm);
2326 	const unsigned int maxauthsize = crypto_aead_maxauthsize(tfm);
2327 	unsigned int authsize;
2328 	unsigned int total_len;
2329 
2330 	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2331 	vec->klen = maxkeysize;
2332 	if (get_random_u32_below(4) == 0)
2333 		vec->klen = get_random_u32_below(maxkeysize + 1);
2334 	generate_random_bytes((u8 *)vec->key, vec->klen);
2335 	vec->setkey_error = crypto_aead_setkey(tfm, vec->key, vec->klen);
2336 
2337 	/* IV */
2338 	generate_random_bytes((u8 *)vec->iv, ivsize);
2339 
2340 	/* Tag length: in [0, maxauthsize], but usually choose maxauthsize */
2341 	authsize = maxauthsize;
2342 	if (get_random_u32_below(4) == 0)
2343 		authsize = get_random_u32_below(maxauthsize + 1);
2344 	if (prefer_inauthentic && authsize < MIN_COLLISION_FREE_AUTHSIZE)
2345 		authsize = MIN_COLLISION_FREE_AUTHSIZE;
2346 	if (WARN_ON(authsize > maxdatasize))
2347 		authsize = maxdatasize;
2348 	maxdatasize -= authsize;
2349 	vec->setauthsize_error = crypto_aead_setauthsize(tfm, authsize);
2350 
2351 	/* AAD, plaintext, and ciphertext lengths */
2352 	total_len = generate_random_length(maxdatasize);
2353 	if (get_random_u32_below(4) == 0)
2354 		vec->alen = 0;
2355 	else
2356 		vec->alen = generate_random_length(total_len);
2357 	vec->plen = total_len - vec->alen;
2358 	vec->clen = vec->plen + authsize;
2359 
2360 	/*
2361 	 * Generate the AAD, plaintext, and ciphertext.  Not applicable if the
2362 	 * key or the authentication tag size couldn't be set.
2363 	 */
2364 	vec->novrfy = 0;
2365 	vec->crypt_error = 0;
2366 	if (vec->setkey_error == 0 && vec->setauthsize_error == 0)
2367 		generate_aead_message(req, suite, vec, prefer_inauthentic);
2368 	snprintf(name, max_namelen,
2369 		 "\"random: alen=%u plen=%u authsize=%u klen=%u novrfy=%d\"",
2370 		 vec->alen, vec->plen, authsize, vec->klen, vec->novrfy);
2371 }
2372 
2373 static void try_to_generate_inauthentic_testvec(
2374 					struct aead_extra_tests_ctx *ctx)
2375 {
2376 	int i;
2377 
2378 	for (i = 0; i < 10; i++) {
2379 		generate_random_aead_testvec(ctx->req, &ctx->vec,
2380 					     &ctx->test_desc->suite.aead,
2381 					     ctx->maxkeysize, ctx->maxdatasize,
2382 					     ctx->vec_name,
2383 					     sizeof(ctx->vec_name), true);
2384 		if (ctx->vec.novrfy)
2385 			return;
2386 	}
2387 }
2388 
2389 /*
2390  * Generate inauthentic test vectors (i.e. ciphertext, AAD pairs that aren't the
2391  * result of an encryption with the key) and verify that decryption fails.
2392  */
2393 static int test_aead_inauthentic_inputs(struct aead_extra_tests_ctx *ctx)
2394 {
2395 	unsigned int i;
2396 	int err;
2397 
2398 	for (i = 0; i < fuzz_iterations * 8; i++) {
2399 		/*
2400 		 * Since this part of the tests isn't comparing the
2401 		 * implementation to another, there's no point in testing any
2402 		 * test vectors other than inauthentic ones (vec.novrfy=1) here.
2403 		 *
2404 		 * If we're having trouble generating such a test vector, e.g.
2405 		 * if the algorithm keeps rejecting the generated keys, don't
2406 		 * retry forever; just continue on.
2407 		 */
2408 		try_to_generate_inauthentic_testvec(ctx);
2409 		if (ctx->vec.novrfy) {
2410 			generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2411 						       sizeof(ctx->cfgname));
2412 			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2413 						ctx->vec_name, &ctx->cfg,
2414 						ctx->req, ctx->tsgls);
2415 			if (err)
2416 				return err;
2417 		}
2418 		cond_resched();
2419 	}
2420 	return 0;
2421 }
2422 
2423 /*
2424  * Test the AEAD algorithm against the corresponding generic implementation, if
2425  * one is available.
2426  */
2427 static int test_aead_vs_generic_impl(struct aead_extra_tests_ctx *ctx)
2428 {
2429 	struct crypto_aead *tfm = ctx->tfm;
2430 	const char *algname = crypto_aead_alg(tfm)->base.cra_name;
2431 	const char *driver = crypto_aead_driver_name(tfm);
2432 	const char *generic_driver = ctx->test_desc->generic_driver;
2433 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
2434 	struct crypto_aead *generic_tfm = NULL;
2435 	struct aead_request *generic_req = NULL;
2436 	unsigned int i;
2437 	int err;
2438 
2439 	if (!generic_driver) { /* Use default naming convention? */
2440 		err = build_generic_driver_name(algname, _generic_driver);
2441 		if (err)
2442 			return err;
2443 		generic_driver = _generic_driver;
2444 	}
2445 
2446 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
2447 		return 0;
2448 
2449 	generic_tfm = crypto_alloc_aead(generic_driver, 0, 0);
2450 	if (IS_ERR(generic_tfm)) {
2451 		err = PTR_ERR(generic_tfm);
2452 		if (err == -ENOENT) {
2453 			pr_warn("alg: aead: skipping comparison tests for %s because %s is unavailable\n",
2454 				driver, generic_driver);
2455 			return 0;
2456 		}
2457 		pr_err("alg: aead: error allocating %s (generic impl of %s): %d\n",
2458 		       generic_driver, algname, err);
2459 		return err;
2460 	}
2461 
2462 	generic_req = aead_request_alloc(generic_tfm, GFP_KERNEL);
2463 	if (!generic_req) {
2464 		err = -ENOMEM;
2465 		goto out;
2466 	}
2467 
2468 	/* Check the algorithm properties for consistency. */
2469 
2470 	if (crypto_aead_maxauthsize(tfm) !=
2471 	    crypto_aead_maxauthsize(generic_tfm)) {
2472 		pr_err("alg: aead: maxauthsize for %s (%u) doesn't match generic impl (%u)\n",
2473 		       driver, crypto_aead_maxauthsize(tfm),
2474 		       crypto_aead_maxauthsize(generic_tfm));
2475 		err = -EINVAL;
2476 		goto out;
2477 	}
2478 
2479 	if (crypto_aead_ivsize(tfm) != crypto_aead_ivsize(generic_tfm)) {
2480 		pr_err("alg: aead: ivsize for %s (%u) doesn't match generic impl (%u)\n",
2481 		       driver, crypto_aead_ivsize(tfm),
2482 		       crypto_aead_ivsize(generic_tfm));
2483 		err = -EINVAL;
2484 		goto out;
2485 	}
2486 
2487 	if (crypto_aead_blocksize(tfm) != crypto_aead_blocksize(generic_tfm)) {
2488 		pr_err("alg: aead: blocksize for %s (%u) doesn't match generic impl (%u)\n",
2489 		       driver, crypto_aead_blocksize(tfm),
2490 		       crypto_aead_blocksize(generic_tfm));
2491 		err = -EINVAL;
2492 		goto out;
2493 	}
2494 
2495 	/*
2496 	 * Now generate test vectors using the generic implementation, and test
2497 	 * the other implementation against them.
2498 	 */
2499 	for (i = 0; i < fuzz_iterations * 8; i++) {
2500 		generate_random_aead_testvec(generic_req, &ctx->vec,
2501 					     &ctx->test_desc->suite.aead,
2502 					     ctx->maxkeysize, ctx->maxdatasize,
2503 					     ctx->vec_name,
2504 					     sizeof(ctx->vec_name), false);
2505 		generate_random_testvec_config(&ctx->cfg, ctx->cfgname,
2506 					       sizeof(ctx->cfgname));
2507 		if (!ctx->vec.novrfy) {
2508 			err = test_aead_vec_cfg(ENCRYPT, &ctx->vec,
2509 						ctx->vec_name, &ctx->cfg,
2510 						ctx->req, ctx->tsgls);
2511 			if (err)
2512 				goto out;
2513 		}
2514 		if (ctx->vec.crypt_error == 0 || ctx->vec.novrfy) {
2515 			err = test_aead_vec_cfg(DECRYPT, &ctx->vec,
2516 						ctx->vec_name, &ctx->cfg,
2517 						ctx->req, ctx->tsgls);
2518 			if (err)
2519 				goto out;
2520 		}
2521 		cond_resched();
2522 	}
2523 	err = 0;
2524 out:
2525 	crypto_free_aead(generic_tfm);
2526 	aead_request_free(generic_req);
2527 	return err;
2528 }
2529 
2530 static int test_aead_extra(const struct alg_test_desc *test_desc,
2531 			   struct aead_request *req,
2532 			   struct cipher_test_sglists *tsgls)
2533 {
2534 	struct aead_extra_tests_ctx *ctx;
2535 	unsigned int i;
2536 	int err;
2537 
2538 	if (noextratests)
2539 		return 0;
2540 
2541 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2542 	if (!ctx)
2543 		return -ENOMEM;
2544 	ctx->req = req;
2545 	ctx->tfm = crypto_aead_reqtfm(req);
2546 	ctx->test_desc = test_desc;
2547 	ctx->tsgls = tsgls;
2548 	ctx->maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
2549 	ctx->maxkeysize = 0;
2550 	for (i = 0; i < test_desc->suite.aead.count; i++)
2551 		ctx->maxkeysize = max_t(unsigned int, ctx->maxkeysize,
2552 					test_desc->suite.aead.vecs[i].klen);
2553 
2554 	ctx->vec.key = kmalloc(ctx->maxkeysize, GFP_KERNEL);
2555 	ctx->vec.iv = kmalloc(crypto_aead_ivsize(ctx->tfm), GFP_KERNEL);
2556 	ctx->vec.assoc = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2557 	ctx->vec.ptext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2558 	ctx->vec.ctext = kmalloc(ctx->maxdatasize, GFP_KERNEL);
2559 	if (!ctx->vec.key || !ctx->vec.iv || !ctx->vec.assoc ||
2560 	    !ctx->vec.ptext || !ctx->vec.ctext) {
2561 		err = -ENOMEM;
2562 		goto out;
2563 	}
2564 
2565 	err = test_aead_vs_generic_impl(ctx);
2566 	if (err)
2567 		goto out;
2568 
2569 	err = test_aead_inauthentic_inputs(ctx);
2570 out:
2571 	kfree(ctx->vec.key);
2572 	kfree(ctx->vec.iv);
2573 	kfree(ctx->vec.assoc);
2574 	kfree(ctx->vec.ptext);
2575 	kfree(ctx->vec.ctext);
2576 	kfree(ctx);
2577 	return err;
2578 }
2579 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2580 static int test_aead_extra(const struct alg_test_desc *test_desc,
2581 			   struct aead_request *req,
2582 			   struct cipher_test_sglists *tsgls)
2583 {
2584 	return 0;
2585 }
2586 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
2587 
2588 static int test_aead(int enc, const struct aead_test_suite *suite,
2589 		     struct aead_request *req,
2590 		     struct cipher_test_sglists *tsgls)
2591 {
2592 	unsigned int i;
2593 	int err;
2594 
2595 	for (i = 0; i < suite->count; i++) {
2596 		err = test_aead_vec(enc, &suite->vecs[i], i, req, tsgls);
2597 		if (err)
2598 			return err;
2599 		cond_resched();
2600 	}
2601 	return 0;
2602 }
2603 
2604 static int alg_test_aead(const struct alg_test_desc *desc, const char *driver,
2605 			 u32 type, u32 mask)
2606 {
2607 	const struct aead_test_suite *suite = &desc->suite.aead;
2608 	struct crypto_aead *tfm;
2609 	struct aead_request *req = NULL;
2610 	struct cipher_test_sglists *tsgls = NULL;
2611 	int err;
2612 
2613 	if (suite->count <= 0) {
2614 		pr_err("alg: aead: empty test suite for %s\n", driver);
2615 		return -EINVAL;
2616 	}
2617 
2618 	tfm = crypto_alloc_aead(driver, type, mask);
2619 	if (IS_ERR(tfm)) {
2620 		pr_err("alg: aead: failed to allocate transform for %s: %ld\n",
2621 		       driver, PTR_ERR(tfm));
2622 		return PTR_ERR(tfm);
2623 	}
2624 	driver = crypto_aead_driver_name(tfm);
2625 
2626 	req = aead_request_alloc(tfm, GFP_KERNEL);
2627 	if (!req) {
2628 		pr_err("alg: aead: failed to allocate request for %s\n",
2629 		       driver);
2630 		err = -ENOMEM;
2631 		goto out;
2632 	}
2633 
2634 	tsgls = alloc_cipher_test_sglists();
2635 	if (!tsgls) {
2636 		pr_err("alg: aead: failed to allocate test buffers for %s\n",
2637 		       driver);
2638 		err = -ENOMEM;
2639 		goto out;
2640 	}
2641 
2642 	err = test_aead(ENCRYPT, suite, req, tsgls);
2643 	if (err)
2644 		goto out;
2645 
2646 	err = test_aead(DECRYPT, suite, req, tsgls);
2647 	if (err)
2648 		goto out;
2649 
2650 	err = test_aead_extra(desc, req, tsgls);
2651 out:
2652 	free_cipher_test_sglists(tsgls);
2653 	aead_request_free(req);
2654 	crypto_free_aead(tfm);
2655 	return err;
2656 }
2657 
2658 static int test_cipher(struct crypto_cipher *tfm, int enc,
2659 		       const struct cipher_testvec *template,
2660 		       unsigned int tcount)
2661 {
2662 	const char *algo = crypto_tfm_alg_driver_name(crypto_cipher_tfm(tfm));
2663 	unsigned int i, j, k;
2664 	char *q;
2665 	const char *e;
2666 	const char *input, *result;
2667 	void *data;
2668 	char *xbuf[XBUFSIZE];
2669 	int ret = -ENOMEM;
2670 
2671 	if (testmgr_alloc_buf(xbuf))
2672 		goto out_nobuf;
2673 
2674 	if (enc == ENCRYPT)
2675 	        e = "encryption";
2676 	else
2677 		e = "decryption";
2678 
2679 	j = 0;
2680 	for (i = 0; i < tcount; i++) {
2681 
2682 		if (fips_enabled && template[i].fips_skip)
2683 			continue;
2684 
2685 		input  = enc ? template[i].ptext : template[i].ctext;
2686 		result = enc ? template[i].ctext : template[i].ptext;
2687 		j++;
2688 
2689 		ret = -EINVAL;
2690 		if (WARN_ON(template[i].len > PAGE_SIZE))
2691 			goto out;
2692 
2693 		data = xbuf[0];
2694 		memcpy(data, input, template[i].len);
2695 
2696 		crypto_cipher_clear_flags(tfm, ~0);
2697 		if (template[i].wk)
2698 			crypto_cipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2699 
2700 		ret = crypto_cipher_setkey(tfm, template[i].key,
2701 					   template[i].klen);
2702 		if (ret) {
2703 			if (ret == template[i].setkey_error)
2704 				continue;
2705 			pr_err("alg: cipher: %s setkey failed on test vector %u; expected_error=%d, actual_error=%d, flags=%#x\n",
2706 			       algo, j, template[i].setkey_error, ret,
2707 			       crypto_cipher_get_flags(tfm));
2708 			goto out;
2709 		}
2710 		if (template[i].setkey_error) {
2711 			pr_err("alg: cipher: %s setkey unexpectedly succeeded on test vector %u; expected_error=%d\n",
2712 			       algo, j, template[i].setkey_error);
2713 			ret = -EINVAL;
2714 			goto out;
2715 		}
2716 
2717 		for (k = 0; k < template[i].len;
2718 		     k += crypto_cipher_blocksize(tfm)) {
2719 			if (enc)
2720 				crypto_cipher_encrypt_one(tfm, data + k,
2721 							  data + k);
2722 			else
2723 				crypto_cipher_decrypt_one(tfm, data + k,
2724 							  data + k);
2725 		}
2726 
2727 		q = data;
2728 		if (memcmp(q, result, template[i].len)) {
2729 			printk(KERN_ERR "alg: cipher: Test %d failed "
2730 			       "on %s for %s\n", j, e, algo);
2731 			hexdump(q, template[i].len);
2732 			ret = -EINVAL;
2733 			goto out;
2734 		}
2735 	}
2736 
2737 	ret = 0;
2738 
2739 out:
2740 	testmgr_free_buf(xbuf);
2741 out_nobuf:
2742 	return ret;
2743 }
2744 
2745 static int test_skcipher_vec_cfg(int enc, const struct cipher_testvec *vec,
2746 				 const char *vec_name,
2747 				 const struct testvec_config *cfg,
2748 				 struct skcipher_request *req,
2749 				 struct cipher_test_sglists *tsgls)
2750 {
2751 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2752 	const unsigned int alignmask = crypto_skcipher_alignmask(tfm);
2753 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2754 	const char *driver = crypto_skcipher_driver_name(tfm);
2755 	const u32 req_flags = CRYPTO_TFM_REQ_MAY_BACKLOG | cfg->req_flags;
2756 	const char *op = enc ? "encryption" : "decryption";
2757 	DECLARE_CRYPTO_WAIT(wait);
2758 	u8 _iv[3 * (MAX_ALGAPI_ALIGNMASK + 1) + MAX_IVLEN];
2759 	u8 *iv = PTR_ALIGN(&_iv[0], 2 * (MAX_ALGAPI_ALIGNMASK + 1)) +
2760 		 cfg->iv_offset +
2761 		 (cfg->iv_offset_relative_to_alignmask ? alignmask : 0);
2762 	struct kvec input;
2763 	int err;
2764 
2765 	/* Set the key */
2766 	if (vec->wk)
2767 		crypto_skcipher_set_flags(tfm, CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2768 	else
2769 		crypto_skcipher_clear_flags(tfm,
2770 					    CRYPTO_TFM_REQ_FORBID_WEAK_KEYS);
2771 	err = do_setkey(crypto_skcipher_setkey, tfm, vec->key, vec->klen,
2772 			cfg, alignmask);
2773 	if (err) {
2774 		if (err == vec->setkey_error)
2775 			return 0;
2776 		pr_err("alg: skcipher: %s setkey failed on test vector %s; expected_error=%d, actual_error=%d, flags=%#x\n",
2777 		       driver, vec_name, vec->setkey_error, err,
2778 		       crypto_skcipher_get_flags(tfm));
2779 		return err;
2780 	}
2781 	if (vec->setkey_error) {
2782 		pr_err("alg: skcipher: %s setkey unexpectedly succeeded on test vector %s; expected_error=%d\n",
2783 		       driver, vec_name, vec->setkey_error);
2784 		return -EINVAL;
2785 	}
2786 
2787 	/* The IV must be copied to a buffer, as the algorithm may modify it */
2788 	if (ivsize) {
2789 		if (WARN_ON(ivsize > MAX_IVLEN))
2790 			return -EINVAL;
2791 		if (vec->generates_iv && !enc)
2792 			memcpy(iv, vec->iv_out, ivsize);
2793 		else if (vec->iv)
2794 			memcpy(iv, vec->iv, ivsize);
2795 		else
2796 			memset(iv, 0, ivsize);
2797 	} else {
2798 		if (vec->generates_iv) {
2799 			pr_err("alg: skcipher: %s has ivsize=0 but test vector %s generates IV!\n",
2800 			       driver, vec_name);
2801 			return -EINVAL;
2802 		}
2803 		iv = NULL;
2804 	}
2805 
2806 	/* Build the src/dst scatterlists */
2807 	input.iov_base = enc ? (void *)vec->ptext : (void *)vec->ctext;
2808 	input.iov_len = vec->len;
2809 	err = build_cipher_test_sglists(tsgls, cfg, alignmask,
2810 					vec->len, vec->len, &input, 1);
2811 	if (err) {
2812 		pr_err("alg: skcipher: %s %s: error preparing scatterlists for test vector %s, cfg=\"%s\"\n",
2813 		       driver, op, vec_name, cfg->name);
2814 		return err;
2815 	}
2816 
2817 	/* Do the actual encryption or decryption */
2818 	testmgr_poison(req->__ctx, crypto_skcipher_reqsize(tfm));
2819 	skcipher_request_set_callback(req, req_flags, crypto_req_done, &wait);
2820 	skcipher_request_set_crypt(req, tsgls->src.sgl_ptr, tsgls->dst.sgl_ptr,
2821 				   vec->len, iv);
2822 	if (cfg->nosimd)
2823 		crypto_disable_simd_for_test();
2824 	err = enc ? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
2825 	if (cfg->nosimd)
2826 		crypto_reenable_simd_for_test();
2827 	err = crypto_wait_req(err, &wait);
2828 
2829 	/* Check that the algorithm didn't overwrite things it shouldn't have */
2830 	if (req->cryptlen != vec->len ||
2831 	    req->iv != iv ||
2832 	    req->src != tsgls->src.sgl_ptr ||
2833 	    req->dst != tsgls->dst.sgl_ptr ||
2834 	    crypto_skcipher_reqtfm(req) != tfm ||
2835 	    req->base.complete != crypto_req_done ||
2836 	    req->base.flags != req_flags ||
2837 	    req->base.data != &wait) {
2838 		pr_err("alg: skcipher: %s %s corrupted request struct on test vector %s, cfg=\"%s\"\n",
2839 		       driver, op, vec_name, cfg->name);
2840 		if (req->cryptlen != vec->len)
2841 			pr_err("alg: skcipher: changed 'req->cryptlen'\n");
2842 		if (req->iv != iv)
2843 			pr_err("alg: skcipher: changed 'req->iv'\n");
2844 		if (req->src != tsgls->src.sgl_ptr)
2845 			pr_err("alg: skcipher: changed 'req->src'\n");
2846 		if (req->dst != tsgls->dst.sgl_ptr)
2847 			pr_err("alg: skcipher: changed 'req->dst'\n");
2848 		if (crypto_skcipher_reqtfm(req) != tfm)
2849 			pr_err("alg: skcipher: changed 'req->base.tfm'\n");
2850 		if (req->base.complete != crypto_req_done)
2851 			pr_err("alg: skcipher: changed 'req->base.complete'\n");
2852 		if (req->base.flags != req_flags)
2853 			pr_err("alg: skcipher: changed 'req->base.flags'\n");
2854 		if (req->base.data != &wait)
2855 			pr_err("alg: skcipher: changed 'req->base.data'\n");
2856 		return -EINVAL;
2857 	}
2858 	if (is_test_sglist_corrupted(&tsgls->src)) {
2859 		pr_err("alg: skcipher: %s %s corrupted src sgl on test vector %s, cfg=\"%s\"\n",
2860 		       driver, op, vec_name, cfg->name);
2861 		return -EINVAL;
2862 	}
2863 	if (tsgls->dst.sgl_ptr != tsgls->src.sgl &&
2864 	    is_test_sglist_corrupted(&tsgls->dst)) {
2865 		pr_err("alg: skcipher: %s %s corrupted dst sgl on test vector %s, cfg=\"%s\"\n",
2866 		       driver, op, vec_name, cfg->name);
2867 		return -EINVAL;
2868 	}
2869 
2870 	/* Check for success or failure */
2871 	if (err) {
2872 		if (err == vec->crypt_error)
2873 			return 0;
2874 		pr_err("alg: skcipher: %s %s failed on test vector %s; expected_error=%d, actual_error=%d, cfg=\"%s\"\n",
2875 		       driver, op, vec_name, vec->crypt_error, err, cfg->name);
2876 		return err;
2877 	}
2878 	if (vec->crypt_error) {
2879 		pr_err("alg: skcipher: %s %s unexpectedly succeeded on test vector %s; expected_error=%d, cfg=\"%s\"\n",
2880 		       driver, op, vec_name, vec->crypt_error, cfg->name);
2881 		return -EINVAL;
2882 	}
2883 
2884 	/* Check for the correct output (ciphertext or plaintext) */
2885 	err = verify_correct_output(&tsgls->dst, enc ? vec->ctext : vec->ptext,
2886 				    vec->len, 0, true);
2887 	if (err == -EOVERFLOW) {
2888 		pr_err("alg: skcipher: %s %s overran dst buffer on test vector %s, cfg=\"%s\"\n",
2889 		       driver, op, vec_name, cfg->name);
2890 		return err;
2891 	}
2892 	if (err) {
2893 		pr_err("alg: skcipher: %s %s test failed (wrong result) on test vector %s, cfg=\"%s\"\n",
2894 		       driver, op, vec_name, cfg->name);
2895 		return err;
2896 	}
2897 
2898 	/* If applicable, check that the algorithm generated the correct IV */
2899 	if (vec->iv_out && memcmp(iv, vec->iv_out, ivsize) != 0) {
2900 		pr_err("alg: skcipher: %s %s test failed (wrong output IV) on test vector %s, cfg=\"%s\"\n",
2901 		       driver, op, vec_name, cfg->name);
2902 		hexdump(iv, ivsize);
2903 		return -EINVAL;
2904 	}
2905 
2906 	return 0;
2907 }
2908 
2909 static int test_skcipher_vec(int enc, const struct cipher_testvec *vec,
2910 			     unsigned int vec_num,
2911 			     struct skcipher_request *req,
2912 			     struct cipher_test_sglists *tsgls)
2913 {
2914 	char vec_name[16];
2915 	unsigned int i;
2916 	int err;
2917 
2918 	if (fips_enabled && vec->fips_skip)
2919 		return 0;
2920 
2921 	sprintf(vec_name, "%u", vec_num);
2922 
2923 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++) {
2924 		err = test_skcipher_vec_cfg(enc, vec, vec_name,
2925 					    &default_cipher_testvec_configs[i],
2926 					    req, tsgls);
2927 		if (err)
2928 			return err;
2929 	}
2930 
2931 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2932 	if (!noextratests) {
2933 		struct testvec_config cfg;
2934 		char cfgname[TESTVEC_CONFIG_NAMELEN];
2935 
2936 		for (i = 0; i < fuzz_iterations; i++) {
2937 			generate_random_testvec_config(&cfg, cfgname,
2938 						       sizeof(cfgname));
2939 			err = test_skcipher_vec_cfg(enc, vec, vec_name,
2940 						    &cfg, req, tsgls);
2941 			if (err)
2942 				return err;
2943 			cond_resched();
2944 		}
2945 	}
2946 #endif
2947 	return 0;
2948 }
2949 
2950 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
2951 /*
2952  * Generate a symmetric cipher test vector from the given implementation.
2953  * Assumes the buffers in 'vec' were already allocated.
2954  */
2955 static void generate_random_cipher_testvec(struct skcipher_request *req,
2956 					   struct cipher_testvec *vec,
2957 					   unsigned int maxdatasize,
2958 					   char *name, size_t max_namelen)
2959 {
2960 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2961 	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
2962 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
2963 	struct scatterlist src, dst;
2964 	u8 iv[MAX_IVLEN];
2965 	DECLARE_CRYPTO_WAIT(wait);
2966 
2967 	/* Key: length in [0, maxkeysize], but usually choose maxkeysize */
2968 	vec->klen = maxkeysize;
2969 	if (get_random_u32_below(4) == 0)
2970 		vec->klen = get_random_u32_below(maxkeysize + 1);
2971 	generate_random_bytes((u8 *)vec->key, vec->klen);
2972 	vec->setkey_error = crypto_skcipher_setkey(tfm, vec->key, vec->klen);
2973 
2974 	/* IV */
2975 	generate_random_bytes((u8 *)vec->iv, ivsize);
2976 
2977 	/* Plaintext */
2978 	vec->len = generate_random_length(maxdatasize);
2979 	generate_random_bytes((u8 *)vec->ptext, vec->len);
2980 
2981 	/* If the key couldn't be set, no need to continue to encrypt. */
2982 	if (vec->setkey_error)
2983 		goto done;
2984 
2985 	/* Ciphertext */
2986 	sg_init_one(&src, vec->ptext, vec->len);
2987 	sg_init_one(&dst, vec->ctext, vec->len);
2988 	memcpy(iv, vec->iv, ivsize);
2989 	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
2990 	skcipher_request_set_crypt(req, &src, &dst, vec->len, iv);
2991 	vec->crypt_error = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
2992 	if (vec->crypt_error != 0) {
2993 		/*
2994 		 * The only acceptable error here is for an invalid length, so
2995 		 * skcipher decryption should fail with the same error too.
2996 		 * We'll test for this.  But to keep the API usage well-defined,
2997 		 * explicitly initialize the ciphertext buffer too.
2998 		 */
2999 		memset((u8 *)vec->ctext, 0, vec->len);
3000 	}
3001 done:
3002 	snprintf(name, max_namelen, "\"random: len=%u klen=%u\"",
3003 		 vec->len, vec->klen);
3004 }
3005 
3006 /*
3007  * Test the skcipher algorithm represented by @req against the corresponding
3008  * generic implementation, if one is available.
3009  */
3010 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3011 					 struct skcipher_request *req,
3012 					 struct cipher_test_sglists *tsgls)
3013 {
3014 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3015 	const unsigned int maxkeysize = crypto_skcipher_max_keysize(tfm);
3016 	const unsigned int ivsize = crypto_skcipher_ivsize(tfm);
3017 	const unsigned int blocksize = crypto_skcipher_blocksize(tfm);
3018 	const unsigned int maxdatasize = (2 * PAGE_SIZE) - TESTMGR_POISON_LEN;
3019 	const char *algname = crypto_skcipher_alg(tfm)->base.cra_name;
3020 	const char *driver = crypto_skcipher_driver_name(tfm);
3021 	char _generic_driver[CRYPTO_MAX_ALG_NAME];
3022 	struct crypto_skcipher *generic_tfm = NULL;
3023 	struct skcipher_request *generic_req = NULL;
3024 	unsigned int i;
3025 	struct cipher_testvec vec = { 0 };
3026 	char vec_name[64];
3027 	struct testvec_config *cfg;
3028 	char cfgname[TESTVEC_CONFIG_NAMELEN];
3029 	int err;
3030 
3031 	if (noextratests)
3032 		return 0;
3033 
3034 	/* Keywrap isn't supported here yet as it handles its IV differently. */
3035 	if (strncmp(algname, "kw(", 3) == 0)
3036 		return 0;
3037 
3038 	if (!generic_driver) { /* Use default naming convention? */
3039 		err = build_generic_driver_name(algname, _generic_driver);
3040 		if (err)
3041 			return err;
3042 		generic_driver = _generic_driver;
3043 	}
3044 
3045 	if (strcmp(generic_driver, driver) == 0) /* Already the generic impl? */
3046 		return 0;
3047 
3048 	generic_tfm = crypto_alloc_skcipher(generic_driver, 0, 0);
3049 	if (IS_ERR(generic_tfm)) {
3050 		err = PTR_ERR(generic_tfm);
3051 		if (err == -ENOENT) {
3052 			pr_warn("alg: skcipher: skipping comparison tests for %s because %s is unavailable\n",
3053 				driver, generic_driver);
3054 			return 0;
3055 		}
3056 		pr_err("alg: skcipher: error allocating %s (generic impl of %s): %d\n",
3057 		       generic_driver, algname, err);
3058 		return err;
3059 	}
3060 
3061 	cfg = kzalloc(sizeof(*cfg), GFP_KERNEL);
3062 	if (!cfg) {
3063 		err = -ENOMEM;
3064 		goto out;
3065 	}
3066 
3067 	generic_req = skcipher_request_alloc(generic_tfm, GFP_KERNEL);
3068 	if (!generic_req) {
3069 		err = -ENOMEM;
3070 		goto out;
3071 	}
3072 
3073 	/* Check the algorithm properties for consistency. */
3074 
3075 	if (crypto_skcipher_min_keysize(tfm) !=
3076 	    crypto_skcipher_min_keysize(generic_tfm)) {
3077 		pr_err("alg: skcipher: min keysize for %s (%u) doesn't match generic impl (%u)\n",
3078 		       driver, crypto_skcipher_min_keysize(tfm),
3079 		       crypto_skcipher_min_keysize(generic_tfm));
3080 		err = -EINVAL;
3081 		goto out;
3082 	}
3083 
3084 	if (maxkeysize != crypto_skcipher_max_keysize(generic_tfm)) {
3085 		pr_err("alg: skcipher: max keysize for %s (%u) doesn't match generic impl (%u)\n",
3086 		       driver, maxkeysize,
3087 		       crypto_skcipher_max_keysize(generic_tfm));
3088 		err = -EINVAL;
3089 		goto out;
3090 	}
3091 
3092 	if (ivsize != crypto_skcipher_ivsize(generic_tfm)) {
3093 		pr_err("alg: skcipher: ivsize for %s (%u) doesn't match generic impl (%u)\n",
3094 		       driver, ivsize, crypto_skcipher_ivsize(generic_tfm));
3095 		err = -EINVAL;
3096 		goto out;
3097 	}
3098 
3099 	if (blocksize != crypto_skcipher_blocksize(generic_tfm)) {
3100 		pr_err("alg: skcipher: blocksize for %s (%u) doesn't match generic impl (%u)\n",
3101 		       driver, blocksize,
3102 		       crypto_skcipher_blocksize(generic_tfm));
3103 		err = -EINVAL;
3104 		goto out;
3105 	}
3106 
3107 	/*
3108 	 * Now generate test vectors using the generic implementation, and test
3109 	 * the other implementation against them.
3110 	 */
3111 
3112 	vec.key = kmalloc(maxkeysize, GFP_KERNEL);
3113 	vec.iv = kmalloc(ivsize, GFP_KERNEL);
3114 	vec.ptext = kmalloc(maxdatasize, GFP_KERNEL);
3115 	vec.ctext = kmalloc(maxdatasize, GFP_KERNEL);
3116 	if (!vec.key || !vec.iv || !vec.ptext || !vec.ctext) {
3117 		err = -ENOMEM;
3118 		goto out;
3119 	}
3120 
3121 	for (i = 0; i < fuzz_iterations * 8; i++) {
3122 		generate_random_cipher_testvec(generic_req, &vec, maxdatasize,
3123 					       vec_name, sizeof(vec_name));
3124 		generate_random_testvec_config(cfg, cfgname, sizeof(cfgname));
3125 
3126 		err = test_skcipher_vec_cfg(ENCRYPT, &vec, vec_name,
3127 					    cfg, req, tsgls);
3128 		if (err)
3129 			goto out;
3130 		err = test_skcipher_vec_cfg(DECRYPT, &vec, vec_name,
3131 					    cfg, req, tsgls);
3132 		if (err)
3133 			goto out;
3134 		cond_resched();
3135 	}
3136 	err = 0;
3137 out:
3138 	kfree(cfg);
3139 	kfree(vec.key);
3140 	kfree(vec.iv);
3141 	kfree(vec.ptext);
3142 	kfree(vec.ctext);
3143 	crypto_free_skcipher(generic_tfm);
3144 	skcipher_request_free(generic_req);
3145 	return err;
3146 }
3147 #else /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3148 static int test_skcipher_vs_generic_impl(const char *generic_driver,
3149 					 struct skcipher_request *req,
3150 					 struct cipher_test_sglists *tsgls)
3151 {
3152 	return 0;
3153 }
3154 #endif /* !CONFIG_CRYPTO_MANAGER_EXTRA_TESTS */
3155 
3156 static int test_skcipher(int enc, const struct cipher_test_suite *suite,
3157 			 struct skcipher_request *req,
3158 			 struct cipher_test_sglists *tsgls)
3159 {
3160 	unsigned int i;
3161 	int err;
3162 
3163 	for (i = 0; i < suite->count; i++) {
3164 		err = test_skcipher_vec(enc, &suite->vecs[i], i, req, tsgls);
3165 		if (err)
3166 			return err;
3167 		cond_resched();
3168 	}
3169 	return 0;
3170 }
3171 
3172 static int alg_test_skcipher(const struct alg_test_desc *desc,
3173 			     const char *driver, u32 type, u32 mask)
3174 {
3175 	const struct cipher_test_suite *suite = &desc->suite.cipher;
3176 	struct crypto_skcipher *tfm;
3177 	struct skcipher_request *req = NULL;
3178 	struct cipher_test_sglists *tsgls = NULL;
3179 	int err;
3180 
3181 	if (suite->count <= 0) {
3182 		pr_err("alg: skcipher: empty test suite for %s\n", driver);
3183 		return -EINVAL;
3184 	}
3185 
3186 	tfm = crypto_alloc_skcipher(driver, type, mask);
3187 	if (IS_ERR(tfm)) {
3188 		pr_err("alg: skcipher: failed to allocate transform for %s: %ld\n",
3189 		       driver, PTR_ERR(tfm));
3190 		return PTR_ERR(tfm);
3191 	}
3192 	driver = crypto_skcipher_driver_name(tfm);
3193 
3194 	req = skcipher_request_alloc(tfm, GFP_KERNEL);
3195 	if (!req) {
3196 		pr_err("alg: skcipher: failed to allocate request for %s\n",
3197 		       driver);
3198 		err = -ENOMEM;
3199 		goto out;
3200 	}
3201 
3202 	tsgls = alloc_cipher_test_sglists();
3203 	if (!tsgls) {
3204 		pr_err("alg: skcipher: failed to allocate test buffers for %s\n",
3205 		       driver);
3206 		err = -ENOMEM;
3207 		goto out;
3208 	}
3209 
3210 	err = test_skcipher(ENCRYPT, suite, req, tsgls);
3211 	if (err)
3212 		goto out;
3213 
3214 	err = test_skcipher(DECRYPT, suite, req, tsgls);
3215 	if (err)
3216 		goto out;
3217 
3218 	err = test_skcipher_vs_generic_impl(desc->generic_driver, req, tsgls);
3219 out:
3220 	free_cipher_test_sglists(tsgls);
3221 	skcipher_request_free(req);
3222 	crypto_free_skcipher(tfm);
3223 	return err;
3224 }
3225 
3226 static int test_comp(struct crypto_comp *tfm,
3227 		     const struct comp_testvec *ctemplate,
3228 		     const struct comp_testvec *dtemplate,
3229 		     int ctcount, int dtcount)
3230 {
3231 	const char *algo = crypto_tfm_alg_driver_name(crypto_comp_tfm(tfm));
3232 	char *output, *decomp_output;
3233 	unsigned int i;
3234 	int ret;
3235 
3236 	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3237 	if (!output)
3238 		return -ENOMEM;
3239 
3240 	decomp_output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3241 	if (!decomp_output) {
3242 		kfree(output);
3243 		return -ENOMEM;
3244 	}
3245 
3246 	for (i = 0; i < ctcount; i++) {
3247 		int ilen;
3248 		unsigned int dlen = COMP_BUF_SIZE;
3249 
3250 		memset(output, 0, COMP_BUF_SIZE);
3251 		memset(decomp_output, 0, COMP_BUF_SIZE);
3252 
3253 		ilen = ctemplate[i].inlen;
3254 		ret = crypto_comp_compress(tfm, ctemplate[i].input,
3255 					   ilen, output, &dlen);
3256 		if (ret) {
3257 			printk(KERN_ERR "alg: comp: compression failed "
3258 			       "on test %d for %s: ret=%d\n", i + 1, algo,
3259 			       -ret);
3260 			goto out;
3261 		}
3262 
3263 		ilen = dlen;
3264 		dlen = COMP_BUF_SIZE;
3265 		ret = crypto_comp_decompress(tfm, output,
3266 					     ilen, decomp_output, &dlen);
3267 		if (ret) {
3268 			pr_err("alg: comp: compression failed: decompress: on test %d for %s failed: ret=%d\n",
3269 			       i + 1, algo, -ret);
3270 			goto out;
3271 		}
3272 
3273 		if (dlen != ctemplate[i].inlen) {
3274 			printk(KERN_ERR "alg: comp: Compression test %d "
3275 			       "failed for %s: output len = %d\n", i + 1, algo,
3276 			       dlen);
3277 			ret = -EINVAL;
3278 			goto out;
3279 		}
3280 
3281 		if (memcmp(decomp_output, ctemplate[i].input,
3282 			   ctemplate[i].inlen)) {
3283 			pr_err("alg: comp: compression failed: output differs: on test %d for %s\n",
3284 			       i + 1, algo);
3285 			hexdump(decomp_output, dlen);
3286 			ret = -EINVAL;
3287 			goto out;
3288 		}
3289 	}
3290 
3291 	for (i = 0; i < dtcount; i++) {
3292 		int ilen;
3293 		unsigned int dlen = COMP_BUF_SIZE;
3294 
3295 		memset(decomp_output, 0, COMP_BUF_SIZE);
3296 
3297 		ilen = dtemplate[i].inlen;
3298 		ret = crypto_comp_decompress(tfm, dtemplate[i].input,
3299 					     ilen, decomp_output, &dlen);
3300 		if (ret) {
3301 			printk(KERN_ERR "alg: comp: decompression failed "
3302 			       "on test %d for %s: ret=%d\n", i + 1, algo,
3303 			       -ret);
3304 			goto out;
3305 		}
3306 
3307 		if (dlen != dtemplate[i].outlen) {
3308 			printk(KERN_ERR "alg: comp: Decompression test %d "
3309 			       "failed for %s: output len = %d\n", i + 1, algo,
3310 			       dlen);
3311 			ret = -EINVAL;
3312 			goto out;
3313 		}
3314 
3315 		if (memcmp(decomp_output, dtemplate[i].output, dlen)) {
3316 			printk(KERN_ERR "alg: comp: Decompression test %d "
3317 			       "failed for %s\n", i + 1, algo);
3318 			hexdump(decomp_output, dlen);
3319 			ret = -EINVAL;
3320 			goto out;
3321 		}
3322 	}
3323 
3324 	ret = 0;
3325 
3326 out:
3327 	kfree(decomp_output);
3328 	kfree(output);
3329 	return ret;
3330 }
3331 
3332 static int test_acomp(struct crypto_acomp *tfm,
3333 		      const struct comp_testvec *ctemplate,
3334 		      const struct comp_testvec *dtemplate,
3335 		      int ctcount, int dtcount)
3336 {
3337 	const char *algo = crypto_tfm_alg_driver_name(crypto_acomp_tfm(tfm));
3338 	unsigned int i;
3339 	char *output, *decomp_out;
3340 	int ret;
3341 	struct scatterlist src, dst;
3342 	struct acomp_req *req;
3343 	struct crypto_wait wait;
3344 
3345 	output = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3346 	if (!output)
3347 		return -ENOMEM;
3348 
3349 	decomp_out = kmalloc(COMP_BUF_SIZE, GFP_KERNEL);
3350 	if (!decomp_out) {
3351 		kfree(output);
3352 		return -ENOMEM;
3353 	}
3354 
3355 	for (i = 0; i < ctcount; i++) {
3356 		unsigned int dlen = COMP_BUF_SIZE;
3357 		int ilen = ctemplate[i].inlen;
3358 		void *input_vec;
3359 
3360 		input_vec = kmemdup(ctemplate[i].input, ilen, GFP_KERNEL);
3361 		if (!input_vec) {
3362 			ret = -ENOMEM;
3363 			goto out;
3364 		}
3365 
3366 		memset(output, 0, dlen);
3367 		crypto_init_wait(&wait);
3368 		sg_init_one(&src, input_vec, ilen);
3369 		sg_init_one(&dst, output, dlen);
3370 
3371 		req = acomp_request_alloc(tfm);
3372 		if (!req) {
3373 			pr_err("alg: acomp: request alloc failed for %s\n",
3374 			       algo);
3375 			kfree(input_vec);
3376 			ret = -ENOMEM;
3377 			goto out;
3378 		}
3379 
3380 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3381 		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3382 					   crypto_req_done, &wait);
3383 
3384 		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3385 		if (ret) {
3386 			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3387 			       i + 1, algo, -ret);
3388 			kfree(input_vec);
3389 			acomp_request_free(req);
3390 			goto out;
3391 		}
3392 
3393 		ilen = req->dlen;
3394 		dlen = COMP_BUF_SIZE;
3395 		sg_init_one(&src, output, ilen);
3396 		sg_init_one(&dst, decomp_out, dlen);
3397 		crypto_init_wait(&wait);
3398 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3399 
3400 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3401 		if (ret) {
3402 			pr_err("alg: acomp: compression failed on test %d for %s: ret=%d\n",
3403 			       i + 1, algo, -ret);
3404 			kfree(input_vec);
3405 			acomp_request_free(req);
3406 			goto out;
3407 		}
3408 
3409 		if (req->dlen != ctemplate[i].inlen) {
3410 			pr_err("alg: acomp: Compression test %d failed for %s: output len = %d\n",
3411 			       i + 1, algo, req->dlen);
3412 			ret = -EINVAL;
3413 			kfree(input_vec);
3414 			acomp_request_free(req);
3415 			goto out;
3416 		}
3417 
3418 		if (memcmp(input_vec, decomp_out, req->dlen)) {
3419 			pr_err("alg: acomp: Compression test %d failed for %s\n",
3420 			       i + 1, algo);
3421 			hexdump(output, req->dlen);
3422 			ret = -EINVAL;
3423 			kfree(input_vec);
3424 			acomp_request_free(req);
3425 			goto out;
3426 		}
3427 
3428 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3429 		crypto_init_wait(&wait);
3430 		sg_init_one(&src, input_vec, ilen);
3431 		acomp_request_set_params(req, &src, NULL, ilen, 0);
3432 
3433 		ret = crypto_wait_req(crypto_acomp_compress(req), &wait);
3434 		if (ret) {
3435 			pr_err("alg: acomp: compression failed on NULL dst buffer test %d for %s: ret=%d\n",
3436 			       i + 1, algo, -ret);
3437 			kfree(input_vec);
3438 			acomp_request_free(req);
3439 			goto out;
3440 		}
3441 #endif
3442 
3443 		kfree(input_vec);
3444 		acomp_request_free(req);
3445 	}
3446 
3447 	for (i = 0; i < dtcount; i++) {
3448 		unsigned int dlen = COMP_BUF_SIZE;
3449 		int ilen = dtemplate[i].inlen;
3450 		void *input_vec;
3451 
3452 		input_vec = kmemdup(dtemplate[i].input, ilen, GFP_KERNEL);
3453 		if (!input_vec) {
3454 			ret = -ENOMEM;
3455 			goto out;
3456 		}
3457 
3458 		memset(output, 0, dlen);
3459 		crypto_init_wait(&wait);
3460 		sg_init_one(&src, input_vec, ilen);
3461 		sg_init_one(&dst, output, dlen);
3462 
3463 		req = acomp_request_alloc(tfm);
3464 		if (!req) {
3465 			pr_err("alg: acomp: request alloc failed for %s\n",
3466 			       algo);
3467 			kfree(input_vec);
3468 			ret = -ENOMEM;
3469 			goto out;
3470 		}
3471 
3472 		acomp_request_set_params(req, &src, &dst, ilen, dlen);
3473 		acomp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3474 					   crypto_req_done, &wait);
3475 
3476 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3477 		if (ret) {
3478 			pr_err("alg: acomp: decompression failed on test %d for %s: ret=%d\n",
3479 			       i + 1, algo, -ret);
3480 			kfree(input_vec);
3481 			acomp_request_free(req);
3482 			goto out;
3483 		}
3484 
3485 		if (req->dlen != dtemplate[i].outlen) {
3486 			pr_err("alg: acomp: Decompression test %d failed for %s: output len = %d\n",
3487 			       i + 1, algo, req->dlen);
3488 			ret = -EINVAL;
3489 			kfree(input_vec);
3490 			acomp_request_free(req);
3491 			goto out;
3492 		}
3493 
3494 		if (memcmp(output, dtemplate[i].output, req->dlen)) {
3495 			pr_err("alg: acomp: Decompression test %d failed for %s\n",
3496 			       i + 1, algo);
3497 			hexdump(output, req->dlen);
3498 			ret = -EINVAL;
3499 			kfree(input_vec);
3500 			acomp_request_free(req);
3501 			goto out;
3502 		}
3503 
3504 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
3505 		crypto_init_wait(&wait);
3506 		acomp_request_set_params(req, &src, NULL, ilen, 0);
3507 
3508 		ret = crypto_wait_req(crypto_acomp_decompress(req), &wait);
3509 		if (ret) {
3510 			pr_err("alg: acomp: decompression failed on NULL dst buffer test %d for %s: ret=%d\n",
3511 			       i + 1, algo, -ret);
3512 			kfree(input_vec);
3513 			acomp_request_free(req);
3514 			goto out;
3515 		}
3516 #endif
3517 
3518 		kfree(input_vec);
3519 		acomp_request_free(req);
3520 	}
3521 
3522 	ret = 0;
3523 
3524 out:
3525 	kfree(decomp_out);
3526 	kfree(output);
3527 	return ret;
3528 }
3529 
3530 static int test_cprng(struct crypto_rng *tfm,
3531 		      const struct cprng_testvec *template,
3532 		      unsigned int tcount)
3533 {
3534 	const char *algo = crypto_tfm_alg_driver_name(crypto_rng_tfm(tfm));
3535 	int err = 0, i, j, seedsize;
3536 	u8 *seed;
3537 	char result[32];
3538 
3539 	seedsize = crypto_rng_seedsize(tfm);
3540 
3541 	seed = kmalloc(seedsize, GFP_KERNEL);
3542 	if (!seed) {
3543 		printk(KERN_ERR "alg: cprng: Failed to allocate seed space "
3544 		       "for %s\n", algo);
3545 		return -ENOMEM;
3546 	}
3547 
3548 	for (i = 0; i < tcount; i++) {
3549 		memset(result, 0, 32);
3550 
3551 		memcpy(seed, template[i].v, template[i].vlen);
3552 		memcpy(seed + template[i].vlen, template[i].key,
3553 		       template[i].klen);
3554 		memcpy(seed + template[i].vlen + template[i].klen,
3555 		       template[i].dt, template[i].dtlen);
3556 
3557 		err = crypto_rng_reset(tfm, seed, seedsize);
3558 		if (err) {
3559 			printk(KERN_ERR "alg: cprng: Failed to reset rng "
3560 			       "for %s\n", algo);
3561 			goto out;
3562 		}
3563 
3564 		for (j = 0; j < template[i].loops; j++) {
3565 			err = crypto_rng_get_bytes(tfm, result,
3566 						   template[i].rlen);
3567 			if (err < 0) {
3568 				printk(KERN_ERR "alg: cprng: Failed to obtain "
3569 				       "the correct amount of random data for "
3570 				       "%s (requested %d)\n", algo,
3571 				       template[i].rlen);
3572 				goto out;
3573 			}
3574 		}
3575 
3576 		err = memcmp(result, template[i].result,
3577 			     template[i].rlen);
3578 		if (err) {
3579 			printk(KERN_ERR "alg: cprng: Test %d failed for %s\n",
3580 			       i, algo);
3581 			hexdump(result, template[i].rlen);
3582 			err = -EINVAL;
3583 			goto out;
3584 		}
3585 	}
3586 
3587 out:
3588 	kfree(seed);
3589 	return err;
3590 }
3591 
3592 static int alg_test_cipher(const struct alg_test_desc *desc,
3593 			   const char *driver, u32 type, u32 mask)
3594 {
3595 	const struct cipher_test_suite *suite = &desc->suite.cipher;
3596 	struct crypto_cipher *tfm;
3597 	int err;
3598 
3599 	tfm = crypto_alloc_cipher(driver, type, mask);
3600 	if (IS_ERR(tfm)) {
3601 		printk(KERN_ERR "alg: cipher: Failed to load transform for "
3602 		       "%s: %ld\n", driver, PTR_ERR(tfm));
3603 		return PTR_ERR(tfm);
3604 	}
3605 
3606 	err = test_cipher(tfm, ENCRYPT, suite->vecs, suite->count);
3607 	if (!err)
3608 		err = test_cipher(tfm, DECRYPT, suite->vecs, suite->count);
3609 
3610 	crypto_free_cipher(tfm);
3611 	return err;
3612 }
3613 
3614 static int alg_test_comp(const struct alg_test_desc *desc, const char *driver,
3615 			 u32 type, u32 mask)
3616 {
3617 	struct crypto_comp *comp;
3618 	struct crypto_acomp *acomp;
3619 	int err;
3620 	u32 algo_type = type & CRYPTO_ALG_TYPE_ACOMPRESS_MASK;
3621 
3622 	if (algo_type == CRYPTO_ALG_TYPE_ACOMPRESS) {
3623 		acomp = crypto_alloc_acomp(driver, type, mask);
3624 		if (IS_ERR(acomp)) {
3625 			pr_err("alg: acomp: Failed to load transform for %s: %ld\n",
3626 			       driver, PTR_ERR(acomp));
3627 			return PTR_ERR(acomp);
3628 		}
3629 		err = test_acomp(acomp, desc->suite.comp.comp.vecs,
3630 				 desc->suite.comp.decomp.vecs,
3631 				 desc->suite.comp.comp.count,
3632 				 desc->suite.comp.decomp.count);
3633 		crypto_free_acomp(acomp);
3634 	} else {
3635 		comp = crypto_alloc_comp(driver, type, mask);
3636 		if (IS_ERR(comp)) {
3637 			pr_err("alg: comp: Failed to load transform for %s: %ld\n",
3638 			       driver, PTR_ERR(comp));
3639 			return PTR_ERR(comp);
3640 		}
3641 
3642 		err = test_comp(comp, desc->suite.comp.comp.vecs,
3643 				desc->suite.comp.decomp.vecs,
3644 				desc->suite.comp.comp.count,
3645 				desc->suite.comp.decomp.count);
3646 
3647 		crypto_free_comp(comp);
3648 	}
3649 	return err;
3650 }
3651 
3652 static int alg_test_crc32c(const struct alg_test_desc *desc,
3653 			   const char *driver, u32 type, u32 mask)
3654 {
3655 	struct crypto_shash *tfm;
3656 	__le32 val;
3657 	int err;
3658 
3659 	err = alg_test_hash(desc, driver, type, mask);
3660 	if (err)
3661 		return err;
3662 
3663 	tfm = crypto_alloc_shash(driver, type, mask);
3664 	if (IS_ERR(tfm)) {
3665 		if (PTR_ERR(tfm) == -ENOENT) {
3666 			/*
3667 			 * This crc32c implementation is only available through
3668 			 * ahash API, not the shash API, so the remaining part
3669 			 * of the test is not applicable to it.
3670 			 */
3671 			return 0;
3672 		}
3673 		printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
3674 		       "%ld\n", driver, PTR_ERR(tfm));
3675 		return PTR_ERR(tfm);
3676 	}
3677 	driver = crypto_shash_driver_name(tfm);
3678 
3679 	do {
3680 		SHASH_DESC_ON_STACK(shash, tfm);
3681 		u32 *ctx = (u32 *)shash_desc_ctx(shash);
3682 
3683 		shash->tfm = tfm;
3684 
3685 		*ctx = 420553207;
3686 		err = crypto_shash_final(shash, (u8 *)&val);
3687 		if (err) {
3688 			printk(KERN_ERR "alg: crc32c: Operation failed for "
3689 			       "%s: %d\n", driver, err);
3690 			break;
3691 		}
3692 
3693 		if (val != cpu_to_le32(~420553207)) {
3694 			pr_err("alg: crc32c: Test failed for %s: %u\n",
3695 			       driver, le32_to_cpu(val));
3696 			err = -EINVAL;
3697 		}
3698 	} while (0);
3699 
3700 	crypto_free_shash(tfm);
3701 
3702 	return err;
3703 }
3704 
3705 static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
3706 			  u32 type, u32 mask)
3707 {
3708 	struct crypto_rng *rng;
3709 	int err;
3710 
3711 	rng = crypto_alloc_rng(driver, type, mask);
3712 	if (IS_ERR(rng)) {
3713 		printk(KERN_ERR "alg: cprng: Failed to load transform for %s: "
3714 		       "%ld\n", driver, PTR_ERR(rng));
3715 		return PTR_ERR(rng);
3716 	}
3717 
3718 	err = test_cprng(rng, desc->suite.cprng.vecs, desc->suite.cprng.count);
3719 
3720 	crypto_free_rng(rng);
3721 
3722 	return err;
3723 }
3724 
3725 
3726 static int drbg_cavs_test(const struct drbg_testvec *test, int pr,
3727 			  const char *driver, u32 type, u32 mask)
3728 {
3729 	int ret = -EAGAIN;
3730 	struct crypto_rng *drng;
3731 	struct drbg_test_data test_data;
3732 	struct drbg_string addtl, pers, testentropy;
3733 	unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);
3734 
3735 	if (!buf)
3736 		return -ENOMEM;
3737 
3738 	drng = crypto_alloc_rng(driver, type, mask);
3739 	if (IS_ERR(drng)) {
3740 		printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
3741 		       "%s\n", driver);
3742 		kfree_sensitive(buf);
3743 		return -ENOMEM;
3744 	}
3745 
3746 	test_data.testentropy = &testentropy;
3747 	drbg_string_fill(&testentropy, test->entropy, test->entropylen);
3748 	drbg_string_fill(&pers, test->pers, test->perslen);
3749 	ret = crypto_drbg_reset_test(drng, &pers, &test_data);
3750 	if (ret) {
3751 		printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
3752 		goto outbuf;
3753 	}
3754 
3755 	drbg_string_fill(&addtl, test->addtla, test->addtllen);
3756 	if (pr) {
3757 		drbg_string_fill(&testentropy, test->entpra, test->entprlen);
3758 		ret = crypto_drbg_get_bytes_addtl_test(drng,
3759 			buf, test->expectedlen, &addtl,	&test_data);
3760 	} else {
3761 		ret = crypto_drbg_get_bytes_addtl(drng,
3762 			buf, test->expectedlen, &addtl);
3763 	}
3764 	if (ret < 0) {
3765 		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3766 		       "driver %s\n", driver);
3767 		goto outbuf;
3768 	}
3769 
3770 	drbg_string_fill(&addtl, test->addtlb, test->addtllen);
3771 	if (pr) {
3772 		drbg_string_fill(&testentropy, test->entprb, test->entprlen);
3773 		ret = crypto_drbg_get_bytes_addtl_test(drng,
3774 			buf, test->expectedlen, &addtl, &test_data);
3775 	} else {
3776 		ret = crypto_drbg_get_bytes_addtl(drng,
3777 			buf, test->expectedlen, &addtl);
3778 	}
3779 	if (ret < 0) {
3780 		printk(KERN_ERR "alg: drbg: could not obtain random data for "
3781 		       "driver %s\n", driver);
3782 		goto outbuf;
3783 	}
3784 
3785 	ret = memcmp(test->expected, buf, test->expectedlen);
3786 
3787 outbuf:
3788 	crypto_free_rng(drng);
3789 	kfree_sensitive(buf);
3790 	return ret;
3791 }
3792 
3793 
3794 static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
3795 			 u32 type, u32 mask)
3796 {
3797 	int err = 0;
3798 	int pr = 0;
3799 	int i = 0;
3800 	const struct drbg_testvec *template = desc->suite.drbg.vecs;
3801 	unsigned int tcount = desc->suite.drbg.count;
3802 
3803 	if (0 == memcmp(driver, "drbg_pr_", 8))
3804 		pr = 1;
3805 
3806 	for (i = 0; i < tcount; i++) {
3807 		err = drbg_cavs_test(&template[i], pr, driver, type, mask);
3808 		if (err) {
3809 			printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
3810 			       i, driver);
3811 			err = -EINVAL;
3812 			break;
3813 		}
3814 	}
3815 	return err;
3816 
3817 }
3818 
3819 static int do_test_kpp(struct crypto_kpp *tfm, const struct kpp_testvec *vec,
3820 		       const char *alg)
3821 {
3822 	struct kpp_request *req;
3823 	void *input_buf = NULL;
3824 	void *output_buf = NULL;
3825 	void *a_public = NULL;
3826 	void *a_ss = NULL;
3827 	void *shared_secret = NULL;
3828 	struct crypto_wait wait;
3829 	unsigned int out_len_max;
3830 	int err = -ENOMEM;
3831 	struct scatterlist src, dst;
3832 
3833 	req = kpp_request_alloc(tfm, GFP_KERNEL);
3834 	if (!req)
3835 		return err;
3836 
3837 	crypto_init_wait(&wait);
3838 
3839 	err = crypto_kpp_set_secret(tfm, vec->secret, vec->secret_size);
3840 	if (err < 0)
3841 		goto free_req;
3842 
3843 	out_len_max = crypto_kpp_maxsize(tfm);
3844 	output_buf = kzalloc(out_len_max, GFP_KERNEL);
3845 	if (!output_buf) {
3846 		err = -ENOMEM;
3847 		goto free_req;
3848 	}
3849 
3850 	/* Use appropriate parameter as base */
3851 	kpp_request_set_input(req, NULL, 0);
3852 	sg_init_one(&dst, output_buf, out_len_max);
3853 	kpp_request_set_output(req, &dst, out_len_max);
3854 	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3855 				 crypto_req_done, &wait);
3856 
3857 	/* Compute party A's public key */
3858 	err = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
3859 	if (err) {
3860 		pr_err("alg: %s: Party A: generate public key test failed. err %d\n",
3861 		       alg, err);
3862 		goto free_output;
3863 	}
3864 
3865 	if (vec->genkey) {
3866 		/* Save party A's public key */
3867 		a_public = kmemdup(sg_virt(req->dst), out_len_max, GFP_KERNEL);
3868 		if (!a_public) {
3869 			err = -ENOMEM;
3870 			goto free_output;
3871 		}
3872 	} else {
3873 		/* Verify calculated public key */
3874 		if (memcmp(vec->expected_a_public, sg_virt(req->dst),
3875 			   vec->expected_a_public_size)) {
3876 			pr_err("alg: %s: Party A: generate public key test failed. Invalid output\n",
3877 			       alg);
3878 			err = -EINVAL;
3879 			goto free_output;
3880 		}
3881 	}
3882 
3883 	/* Calculate shared secret key by using counter part (b) public key. */
3884 	input_buf = kmemdup(vec->b_public, vec->b_public_size, GFP_KERNEL);
3885 	if (!input_buf) {
3886 		err = -ENOMEM;
3887 		goto free_output;
3888 	}
3889 
3890 	sg_init_one(&src, input_buf, vec->b_public_size);
3891 	sg_init_one(&dst, output_buf, out_len_max);
3892 	kpp_request_set_input(req, &src, vec->b_public_size);
3893 	kpp_request_set_output(req, &dst, out_len_max);
3894 	kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3895 				 crypto_req_done, &wait);
3896 	err = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
3897 	if (err) {
3898 		pr_err("alg: %s: Party A: compute shared secret test failed. err %d\n",
3899 		       alg, err);
3900 		goto free_all;
3901 	}
3902 
3903 	if (vec->genkey) {
3904 		/* Save the shared secret obtained by party A */
3905 		a_ss = kmemdup(sg_virt(req->dst), vec->expected_ss_size, GFP_KERNEL);
3906 		if (!a_ss) {
3907 			err = -ENOMEM;
3908 			goto free_all;
3909 		}
3910 
3911 		/*
3912 		 * Calculate party B's shared secret by using party A's
3913 		 * public key.
3914 		 */
3915 		err = crypto_kpp_set_secret(tfm, vec->b_secret,
3916 					    vec->b_secret_size);
3917 		if (err < 0)
3918 			goto free_all;
3919 
3920 		sg_init_one(&src, a_public, vec->expected_a_public_size);
3921 		sg_init_one(&dst, output_buf, out_len_max);
3922 		kpp_request_set_input(req, &src, vec->expected_a_public_size);
3923 		kpp_request_set_output(req, &dst, out_len_max);
3924 		kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
3925 					 crypto_req_done, &wait);
3926 		err = crypto_wait_req(crypto_kpp_compute_shared_secret(req),
3927 				      &wait);
3928 		if (err) {
3929 			pr_err("alg: %s: Party B: compute shared secret failed. err %d\n",
3930 			       alg, err);
3931 			goto free_all;
3932 		}
3933 
3934 		shared_secret = a_ss;
3935 	} else {
3936 		shared_secret = (void *)vec->expected_ss;
3937 	}
3938 
3939 	/*
3940 	 * verify shared secret from which the user will derive
3941 	 * secret key by executing whatever hash it has chosen
3942 	 */
3943 	if (memcmp(shared_secret, sg_virt(req->dst),
3944 		   vec->expected_ss_size)) {
3945 		pr_err("alg: %s: compute shared secret test failed. Invalid output\n",
3946 		       alg);
3947 		err = -EINVAL;
3948 	}
3949 
3950 free_all:
3951 	kfree(a_ss);
3952 	kfree(input_buf);
3953 free_output:
3954 	kfree(a_public);
3955 	kfree(output_buf);
3956 free_req:
3957 	kpp_request_free(req);
3958 	return err;
3959 }
3960 
3961 static int test_kpp(struct crypto_kpp *tfm, const char *alg,
3962 		    const struct kpp_testvec *vecs, unsigned int tcount)
3963 {
3964 	int ret, i;
3965 
3966 	for (i = 0; i < tcount; i++) {
3967 		ret = do_test_kpp(tfm, vecs++, alg);
3968 		if (ret) {
3969 			pr_err("alg: %s: test failed on vector %d, err=%d\n",
3970 			       alg, i + 1, ret);
3971 			return ret;
3972 		}
3973 	}
3974 	return 0;
3975 }
3976 
3977 static int alg_test_kpp(const struct alg_test_desc *desc, const char *driver,
3978 			u32 type, u32 mask)
3979 {
3980 	struct crypto_kpp *tfm;
3981 	int err = 0;
3982 
3983 	tfm = crypto_alloc_kpp(driver, type, mask);
3984 	if (IS_ERR(tfm)) {
3985 		pr_err("alg: kpp: Failed to load tfm for %s: %ld\n",
3986 		       driver, PTR_ERR(tfm));
3987 		return PTR_ERR(tfm);
3988 	}
3989 	if (desc->suite.kpp.vecs)
3990 		err = test_kpp(tfm, desc->alg, desc->suite.kpp.vecs,
3991 			       desc->suite.kpp.count);
3992 
3993 	crypto_free_kpp(tfm);
3994 	return err;
3995 }
3996 
3997 static u8 *test_pack_u32(u8 *dst, u32 val)
3998 {
3999 	memcpy(dst, &val, sizeof(val));
4000 	return dst + sizeof(val);
4001 }
4002 
4003 static int test_akcipher_one(struct crypto_akcipher *tfm,
4004 			     const struct akcipher_testvec *vecs)
4005 {
4006 	char *xbuf[XBUFSIZE];
4007 	struct akcipher_request *req;
4008 	void *outbuf_enc = NULL;
4009 	void *outbuf_dec = NULL;
4010 	struct crypto_wait wait;
4011 	unsigned int out_len_max, out_len = 0;
4012 	int err = -ENOMEM;
4013 	struct scatterlist src, dst, src_tab[3];
4014 	const char *m, *c;
4015 	unsigned int m_size, c_size;
4016 	const char *op;
4017 	u8 *key, *ptr;
4018 
4019 	if (testmgr_alloc_buf(xbuf))
4020 		return err;
4021 
4022 	req = akcipher_request_alloc(tfm, GFP_KERNEL);
4023 	if (!req)
4024 		goto free_xbuf;
4025 
4026 	crypto_init_wait(&wait);
4027 
4028 	key = kmalloc(vecs->key_len + sizeof(u32) * 2 + vecs->param_len,
4029 		      GFP_KERNEL);
4030 	if (!key)
4031 		goto free_req;
4032 	memcpy(key, vecs->key, vecs->key_len);
4033 	ptr = key + vecs->key_len;
4034 	ptr = test_pack_u32(ptr, vecs->algo);
4035 	ptr = test_pack_u32(ptr, vecs->param_len);
4036 	memcpy(ptr, vecs->params, vecs->param_len);
4037 
4038 	if (vecs->public_key_vec)
4039 		err = crypto_akcipher_set_pub_key(tfm, key, vecs->key_len);
4040 	else
4041 		err = crypto_akcipher_set_priv_key(tfm, key, vecs->key_len);
4042 	if (err)
4043 		goto free_key;
4044 
4045 	/*
4046 	 * First run test which do not require a private key, such as
4047 	 * encrypt or verify.
4048 	 */
4049 	err = -ENOMEM;
4050 	out_len_max = crypto_akcipher_maxsize(tfm);
4051 	outbuf_enc = kzalloc(out_len_max, GFP_KERNEL);
4052 	if (!outbuf_enc)
4053 		goto free_key;
4054 
4055 	if (!vecs->siggen_sigver_test) {
4056 		m = vecs->m;
4057 		m_size = vecs->m_size;
4058 		c = vecs->c;
4059 		c_size = vecs->c_size;
4060 		op = "encrypt";
4061 	} else {
4062 		/* Swap args so we could keep plaintext (digest)
4063 		 * in vecs->m, and cooked signature in vecs->c.
4064 		 */
4065 		m = vecs->c; /* signature */
4066 		m_size = vecs->c_size;
4067 		c = vecs->m; /* digest */
4068 		c_size = vecs->m_size;
4069 		op = "verify";
4070 	}
4071 
4072 	err = -E2BIG;
4073 	if (WARN_ON(m_size > PAGE_SIZE))
4074 		goto free_all;
4075 	memcpy(xbuf[0], m, m_size);
4076 
4077 	sg_init_table(src_tab, 3);
4078 	sg_set_buf(&src_tab[0], xbuf[0], 8);
4079 	sg_set_buf(&src_tab[1], xbuf[0] + 8, m_size - 8);
4080 	if (vecs->siggen_sigver_test) {
4081 		if (WARN_ON(c_size > PAGE_SIZE))
4082 			goto free_all;
4083 		memcpy(xbuf[1], c, c_size);
4084 		sg_set_buf(&src_tab[2], xbuf[1], c_size);
4085 		akcipher_request_set_crypt(req, src_tab, NULL, m_size, c_size);
4086 	} else {
4087 		sg_init_one(&dst, outbuf_enc, out_len_max);
4088 		akcipher_request_set_crypt(req, src_tab, &dst, m_size,
4089 					   out_len_max);
4090 	}
4091 	akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4092 				      crypto_req_done, &wait);
4093 
4094 	err = crypto_wait_req(vecs->siggen_sigver_test ?
4095 			      /* Run asymmetric signature verification */
4096 			      crypto_akcipher_verify(req) :
4097 			      /* Run asymmetric encrypt */
4098 			      crypto_akcipher_encrypt(req), &wait);
4099 	if (err) {
4100 		pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4101 		goto free_all;
4102 	}
4103 	if (!vecs->siggen_sigver_test && c) {
4104 		if (req->dst_len != c_size) {
4105 			pr_err("alg: akcipher: %s test failed. Invalid output len\n",
4106 			       op);
4107 			err = -EINVAL;
4108 			goto free_all;
4109 		}
4110 		/* verify that encrypted message is equal to expected */
4111 		if (memcmp(c, outbuf_enc, c_size) != 0) {
4112 			pr_err("alg: akcipher: %s test failed. Invalid output\n",
4113 			       op);
4114 			hexdump(outbuf_enc, c_size);
4115 			err = -EINVAL;
4116 			goto free_all;
4117 		}
4118 	}
4119 
4120 	/*
4121 	 * Don't invoke (decrypt or sign) test which require a private key
4122 	 * for vectors with only a public key.
4123 	 */
4124 	if (vecs->public_key_vec) {
4125 		err = 0;
4126 		goto free_all;
4127 	}
4128 	outbuf_dec = kzalloc(out_len_max, GFP_KERNEL);
4129 	if (!outbuf_dec) {
4130 		err = -ENOMEM;
4131 		goto free_all;
4132 	}
4133 
4134 	if (!vecs->siggen_sigver_test && !c) {
4135 		c = outbuf_enc;
4136 		c_size = req->dst_len;
4137 	}
4138 
4139 	err = -E2BIG;
4140 	op = vecs->siggen_sigver_test ? "sign" : "decrypt";
4141 	if (WARN_ON(c_size > PAGE_SIZE))
4142 		goto free_all;
4143 	memcpy(xbuf[0], c, c_size);
4144 
4145 	sg_init_one(&src, xbuf[0], c_size);
4146 	sg_init_one(&dst, outbuf_dec, out_len_max);
4147 	crypto_init_wait(&wait);
4148 	akcipher_request_set_crypt(req, &src, &dst, c_size, out_len_max);
4149 
4150 	err = crypto_wait_req(vecs->siggen_sigver_test ?
4151 			      /* Run asymmetric signature generation */
4152 			      crypto_akcipher_sign(req) :
4153 			      /* Run asymmetric decrypt */
4154 			      crypto_akcipher_decrypt(req), &wait);
4155 	if (err) {
4156 		pr_err("alg: akcipher: %s test failed. err %d\n", op, err);
4157 		goto free_all;
4158 	}
4159 	out_len = req->dst_len;
4160 	if (out_len < m_size) {
4161 		pr_err("alg: akcipher: %s test failed. Invalid output len %u\n",
4162 		       op, out_len);
4163 		err = -EINVAL;
4164 		goto free_all;
4165 	}
4166 	/* verify that decrypted message is equal to the original msg */
4167 	if (memchr_inv(outbuf_dec, 0, out_len - m_size) ||
4168 	    memcmp(m, outbuf_dec + out_len - m_size, m_size)) {
4169 		pr_err("alg: akcipher: %s test failed. Invalid output\n", op);
4170 		hexdump(outbuf_dec, out_len);
4171 		err = -EINVAL;
4172 	}
4173 free_all:
4174 	kfree(outbuf_dec);
4175 	kfree(outbuf_enc);
4176 free_key:
4177 	kfree(key);
4178 free_req:
4179 	akcipher_request_free(req);
4180 free_xbuf:
4181 	testmgr_free_buf(xbuf);
4182 	return err;
4183 }
4184 
4185 static int test_akcipher(struct crypto_akcipher *tfm, const char *alg,
4186 			 const struct akcipher_testvec *vecs,
4187 			 unsigned int tcount)
4188 {
4189 	const char *algo =
4190 		crypto_tfm_alg_driver_name(crypto_akcipher_tfm(tfm));
4191 	int ret, i;
4192 
4193 	for (i = 0; i < tcount; i++) {
4194 		ret = test_akcipher_one(tfm, vecs++);
4195 		if (!ret)
4196 			continue;
4197 
4198 		pr_err("alg: akcipher: test %d failed for %s, err=%d\n",
4199 		       i + 1, algo, ret);
4200 		return ret;
4201 	}
4202 	return 0;
4203 }
4204 
4205 static int alg_test_akcipher(const struct alg_test_desc *desc,
4206 			     const char *driver, u32 type, u32 mask)
4207 {
4208 	struct crypto_akcipher *tfm;
4209 	int err = 0;
4210 
4211 	tfm = crypto_alloc_akcipher(driver, type, mask);
4212 	if (IS_ERR(tfm)) {
4213 		pr_err("alg: akcipher: Failed to load tfm for %s: %ld\n",
4214 		       driver, PTR_ERR(tfm));
4215 		return PTR_ERR(tfm);
4216 	}
4217 	if (desc->suite.akcipher.vecs)
4218 		err = test_akcipher(tfm, desc->alg, desc->suite.akcipher.vecs,
4219 				    desc->suite.akcipher.count);
4220 
4221 	crypto_free_akcipher(tfm);
4222 	return err;
4223 }
4224 
4225 static int alg_test_null(const struct alg_test_desc *desc,
4226 			     const char *driver, u32 type, u32 mask)
4227 {
4228 	return 0;
4229 }
4230 
4231 #define ____VECS(tv)	.vecs = tv, .count = ARRAY_SIZE(tv)
4232 #define __VECS(tv)	{ ____VECS(tv) }
4233 
4234 /* Please keep this list sorted by algorithm name. */
4235 static const struct alg_test_desc alg_test_descs[] = {
4236 	{
4237 		.alg = "adiantum(xchacha12,aes)",
4238 		.generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)",
4239 		.test = alg_test_skcipher,
4240 		.suite = {
4241 			.cipher = __VECS(adiantum_xchacha12_aes_tv_template)
4242 		},
4243 	}, {
4244 		.alg = "adiantum(xchacha20,aes)",
4245 		.generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)",
4246 		.test = alg_test_skcipher,
4247 		.suite = {
4248 			.cipher = __VECS(adiantum_xchacha20_aes_tv_template)
4249 		},
4250 	}, {
4251 		.alg = "aegis128",
4252 		.test = alg_test_aead,
4253 		.suite = {
4254 			.aead = __VECS(aegis128_tv_template)
4255 		}
4256 	}, {
4257 		.alg = "ansi_cprng",
4258 		.test = alg_test_cprng,
4259 		.suite = {
4260 			.cprng = __VECS(ansi_cprng_aes_tv_template)
4261 		}
4262 	}, {
4263 		.alg = "authenc(hmac(md5),ecb(cipher_null))",
4264 		.test = alg_test_aead,
4265 		.suite = {
4266 			.aead = __VECS(hmac_md5_ecb_cipher_null_tv_template)
4267 		}
4268 	}, {
4269 		.alg = "authenc(hmac(sha1),cbc(aes))",
4270 		.test = alg_test_aead,
4271 		.fips_allowed = 1,
4272 		.suite = {
4273 			.aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
4274 		}
4275 	}, {
4276 		.alg = "authenc(hmac(sha1),cbc(des))",
4277 		.test = alg_test_aead,
4278 		.suite = {
4279 			.aead = __VECS(hmac_sha1_des_cbc_tv_temp)
4280 		}
4281 	}, {
4282 		.alg = "authenc(hmac(sha1),cbc(des3_ede))",
4283 		.test = alg_test_aead,
4284 		.suite = {
4285 			.aead = __VECS(hmac_sha1_des3_ede_cbc_tv_temp)
4286 		}
4287 	}, {
4288 		.alg = "authenc(hmac(sha1),ctr(aes))",
4289 		.test = alg_test_null,
4290 		.fips_allowed = 1,
4291 	}, {
4292 		.alg = "authenc(hmac(sha1),ecb(cipher_null))",
4293 		.test = alg_test_aead,
4294 		.suite = {
4295 			.aead = __VECS(hmac_sha1_ecb_cipher_null_tv_temp)
4296 		}
4297 	}, {
4298 		.alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
4299 		.test = alg_test_null,
4300 		.fips_allowed = 1,
4301 	}, {
4302 		.alg = "authenc(hmac(sha224),cbc(des))",
4303 		.test = alg_test_aead,
4304 		.suite = {
4305 			.aead = __VECS(hmac_sha224_des_cbc_tv_temp)
4306 		}
4307 	}, {
4308 		.alg = "authenc(hmac(sha224),cbc(des3_ede))",
4309 		.test = alg_test_aead,
4310 		.suite = {
4311 			.aead = __VECS(hmac_sha224_des3_ede_cbc_tv_temp)
4312 		}
4313 	}, {
4314 		.alg = "authenc(hmac(sha256),cbc(aes))",
4315 		.test = alg_test_aead,
4316 		.fips_allowed = 1,
4317 		.suite = {
4318 			.aead = __VECS(hmac_sha256_aes_cbc_tv_temp)
4319 		}
4320 	}, {
4321 		.alg = "authenc(hmac(sha256),cbc(des))",
4322 		.test = alg_test_aead,
4323 		.suite = {
4324 			.aead = __VECS(hmac_sha256_des_cbc_tv_temp)
4325 		}
4326 	}, {
4327 		.alg = "authenc(hmac(sha256),cbc(des3_ede))",
4328 		.test = alg_test_aead,
4329 		.suite = {
4330 			.aead = __VECS(hmac_sha256_des3_ede_cbc_tv_temp)
4331 		}
4332 	}, {
4333 		.alg = "authenc(hmac(sha256),ctr(aes))",
4334 		.test = alg_test_null,
4335 		.fips_allowed = 1,
4336 	}, {
4337 		.alg = "authenc(hmac(sha256),rfc3686(ctr(aes)))",
4338 		.test = alg_test_null,
4339 		.fips_allowed = 1,
4340 	}, {
4341 		.alg = "authenc(hmac(sha384),cbc(des))",
4342 		.test = alg_test_aead,
4343 		.suite = {
4344 			.aead = __VECS(hmac_sha384_des_cbc_tv_temp)
4345 		}
4346 	}, {
4347 		.alg = "authenc(hmac(sha384),cbc(des3_ede))",
4348 		.test = alg_test_aead,
4349 		.suite = {
4350 			.aead = __VECS(hmac_sha384_des3_ede_cbc_tv_temp)
4351 		}
4352 	}, {
4353 		.alg = "authenc(hmac(sha384),ctr(aes))",
4354 		.test = alg_test_null,
4355 		.fips_allowed = 1,
4356 	}, {
4357 		.alg = "authenc(hmac(sha384),rfc3686(ctr(aes)))",
4358 		.test = alg_test_null,
4359 		.fips_allowed = 1,
4360 	}, {
4361 		.alg = "authenc(hmac(sha512),cbc(aes))",
4362 		.fips_allowed = 1,
4363 		.test = alg_test_aead,
4364 		.suite = {
4365 			.aead = __VECS(hmac_sha512_aes_cbc_tv_temp)
4366 		}
4367 	}, {
4368 		.alg = "authenc(hmac(sha512),cbc(des))",
4369 		.test = alg_test_aead,
4370 		.suite = {
4371 			.aead = __VECS(hmac_sha512_des_cbc_tv_temp)
4372 		}
4373 	}, {
4374 		.alg = "authenc(hmac(sha512),cbc(des3_ede))",
4375 		.test = alg_test_aead,
4376 		.suite = {
4377 			.aead = __VECS(hmac_sha512_des3_ede_cbc_tv_temp)
4378 		}
4379 	}, {
4380 		.alg = "authenc(hmac(sha512),ctr(aes))",
4381 		.test = alg_test_null,
4382 		.fips_allowed = 1,
4383 	}, {
4384 		.alg = "authenc(hmac(sha512),rfc3686(ctr(aes)))",
4385 		.test = alg_test_null,
4386 		.fips_allowed = 1,
4387 	}, {
4388 		.alg = "blake2b-160",
4389 		.test = alg_test_hash,
4390 		.fips_allowed = 0,
4391 		.suite = {
4392 			.hash = __VECS(blake2b_160_tv_template)
4393 		}
4394 	}, {
4395 		.alg = "blake2b-256",
4396 		.test = alg_test_hash,
4397 		.fips_allowed = 0,
4398 		.suite = {
4399 			.hash = __VECS(blake2b_256_tv_template)
4400 		}
4401 	}, {
4402 		.alg = "blake2b-384",
4403 		.test = alg_test_hash,
4404 		.fips_allowed = 0,
4405 		.suite = {
4406 			.hash = __VECS(blake2b_384_tv_template)
4407 		}
4408 	}, {
4409 		.alg = "blake2b-512",
4410 		.test = alg_test_hash,
4411 		.fips_allowed = 0,
4412 		.suite = {
4413 			.hash = __VECS(blake2b_512_tv_template)
4414 		}
4415 	}, {
4416 		.alg = "cbc(aes)",
4417 		.test = alg_test_skcipher,
4418 		.fips_allowed = 1,
4419 		.suite = {
4420 			.cipher = __VECS(aes_cbc_tv_template)
4421 		},
4422 	}, {
4423 		.alg = "cbc(anubis)",
4424 		.test = alg_test_skcipher,
4425 		.suite = {
4426 			.cipher = __VECS(anubis_cbc_tv_template)
4427 		},
4428 	}, {
4429 		.alg = "cbc(aria)",
4430 		.test = alg_test_skcipher,
4431 		.suite = {
4432 			.cipher = __VECS(aria_cbc_tv_template)
4433 		},
4434 	}, {
4435 		.alg = "cbc(blowfish)",
4436 		.test = alg_test_skcipher,
4437 		.suite = {
4438 			.cipher = __VECS(bf_cbc_tv_template)
4439 		},
4440 	}, {
4441 		.alg = "cbc(camellia)",
4442 		.test = alg_test_skcipher,
4443 		.suite = {
4444 			.cipher = __VECS(camellia_cbc_tv_template)
4445 		},
4446 	}, {
4447 		.alg = "cbc(cast5)",
4448 		.test = alg_test_skcipher,
4449 		.suite = {
4450 			.cipher = __VECS(cast5_cbc_tv_template)
4451 		},
4452 	}, {
4453 		.alg = "cbc(cast6)",
4454 		.test = alg_test_skcipher,
4455 		.suite = {
4456 			.cipher = __VECS(cast6_cbc_tv_template)
4457 		},
4458 	}, {
4459 		.alg = "cbc(des)",
4460 		.test = alg_test_skcipher,
4461 		.suite = {
4462 			.cipher = __VECS(des_cbc_tv_template)
4463 		},
4464 	}, {
4465 		.alg = "cbc(des3_ede)",
4466 		.test = alg_test_skcipher,
4467 		.suite = {
4468 			.cipher = __VECS(des3_ede_cbc_tv_template)
4469 		},
4470 	}, {
4471 		/* Same as cbc(aes) except the key is stored in
4472 		 * hardware secure memory which we reference by index
4473 		 */
4474 		.alg = "cbc(paes)",
4475 		.test = alg_test_null,
4476 		.fips_allowed = 1,
4477 	}, {
4478 		/* Same as cbc(sm4) except the key is stored in
4479 		 * hardware secure memory which we reference by index
4480 		 */
4481 		.alg = "cbc(psm4)",
4482 		.test = alg_test_null,
4483 	}, {
4484 		.alg = "cbc(serpent)",
4485 		.test = alg_test_skcipher,
4486 		.suite = {
4487 			.cipher = __VECS(serpent_cbc_tv_template)
4488 		},
4489 	}, {
4490 		.alg = "cbc(sm4)",
4491 		.test = alg_test_skcipher,
4492 		.suite = {
4493 			.cipher = __VECS(sm4_cbc_tv_template)
4494 		}
4495 	}, {
4496 		.alg = "cbc(twofish)",
4497 		.test = alg_test_skcipher,
4498 		.suite = {
4499 			.cipher = __VECS(tf_cbc_tv_template)
4500 		},
4501 	}, {
4502 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4503 		.alg = "cbc-paes-s390",
4504 		.fips_allowed = 1,
4505 		.test = alg_test_skcipher,
4506 		.suite = {
4507 			.cipher = __VECS(aes_cbc_tv_template)
4508 		}
4509 	}, {
4510 #endif
4511 		.alg = "cbcmac(aes)",
4512 		.test = alg_test_hash,
4513 		.suite = {
4514 			.hash = __VECS(aes_cbcmac_tv_template)
4515 		}
4516 	}, {
4517 		.alg = "cbcmac(sm4)",
4518 		.test = alg_test_hash,
4519 		.suite = {
4520 			.hash = __VECS(sm4_cbcmac_tv_template)
4521 		}
4522 	}, {
4523 		.alg = "ccm(aes)",
4524 		.generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))",
4525 		.test = alg_test_aead,
4526 		.fips_allowed = 1,
4527 		.suite = {
4528 			.aead = {
4529 				____VECS(aes_ccm_tv_template),
4530 				.einval_allowed = 1,
4531 			}
4532 		}
4533 	}, {
4534 		.alg = "ccm(sm4)",
4535 		.generic_driver = "ccm_base(ctr(sm4-generic),cbcmac(sm4-generic))",
4536 		.test = alg_test_aead,
4537 		.suite = {
4538 			.aead = {
4539 				____VECS(sm4_ccm_tv_template),
4540 				.einval_allowed = 1,
4541 			}
4542 		}
4543 	}, {
4544 		.alg = "cfb(aes)",
4545 		.test = alg_test_skcipher,
4546 		.fips_allowed = 1,
4547 		.suite = {
4548 			.cipher = __VECS(aes_cfb_tv_template)
4549 		},
4550 	}, {
4551 		.alg = "cfb(aria)",
4552 		.test = alg_test_skcipher,
4553 		.suite = {
4554 			.cipher = __VECS(aria_cfb_tv_template)
4555 		},
4556 	}, {
4557 		.alg = "cfb(sm4)",
4558 		.test = alg_test_skcipher,
4559 		.suite = {
4560 			.cipher = __VECS(sm4_cfb_tv_template)
4561 		}
4562 	}, {
4563 		.alg = "chacha20",
4564 		.test = alg_test_skcipher,
4565 		.suite = {
4566 			.cipher = __VECS(chacha20_tv_template)
4567 		},
4568 	}, {
4569 		.alg = "cmac(aes)",
4570 		.fips_allowed = 1,
4571 		.test = alg_test_hash,
4572 		.suite = {
4573 			.hash = __VECS(aes_cmac128_tv_template)
4574 		}
4575 	}, {
4576 		.alg = "cmac(des3_ede)",
4577 		.test = alg_test_hash,
4578 		.suite = {
4579 			.hash = __VECS(des3_ede_cmac64_tv_template)
4580 		}
4581 	}, {
4582 		.alg = "cmac(sm4)",
4583 		.test = alg_test_hash,
4584 		.suite = {
4585 			.hash = __VECS(sm4_cmac128_tv_template)
4586 		}
4587 	}, {
4588 		.alg = "compress_null",
4589 		.test = alg_test_null,
4590 	}, {
4591 		.alg = "crc32",
4592 		.test = alg_test_hash,
4593 		.fips_allowed = 1,
4594 		.suite = {
4595 			.hash = __VECS(crc32_tv_template)
4596 		}
4597 	}, {
4598 		.alg = "crc32c",
4599 		.test = alg_test_crc32c,
4600 		.fips_allowed = 1,
4601 		.suite = {
4602 			.hash = __VECS(crc32c_tv_template)
4603 		}
4604 	}, {
4605 		.alg = "crc64-rocksoft",
4606 		.test = alg_test_hash,
4607 		.fips_allowed = 1,
4608 		.suite = {
4609 			.hash = __VECS(crc64_rocksoft_tv_template)
4610 		}
4611 	}, {
4612 		.alg = "crct10dif",
4613 		.test = alg_test_hash,
4614 		.fips_allowed = 1,
4615 		.suite = {
4616 			.hash = __VECS(crct10dif_tv_template)
4617 		}
4618 	}, {
4619 		.alg = "ctr(aes)",
4620 		.test = alg_test_skcipher,
4621 		.fips_allowed = 1,
4622 		.suite = {
4623 			.cipher = __VECS(aes_ctr_tv_template)
4624 		}
4625 	}, {
4626 		.alg = "ctr(aria)",
4627 		.test = alg_test_skcipher,
4628 		.suite = {
4629 			.cipher = __VECS(aria_ctr_tv_template)
4630 		}
4631 	}, {
4632 		.alg = "ctr(blowfish)",
4633 		.test = alg_test_skcipher,
4634 		.suite = {
4635 			.cipher = __VECS(bf_ctr_tv_template)
4636 		}
4637 	}, {
4638 		.alg = "ctr(camellia)",
4639 		.test = alg_test_skcipher,
4640 		.suite = {
4641 			.cipher = __VECS(camellia_ctr_tv_template)
4642 		}
4643 	}, {
4644 		.alg = "ctr(cast5)",
4645 		.test = alg_test_skcipher,
4646 		.suite = {
4647 			.cipher = __VECS(cast5_ctr_tv_template)
4648 		}
4649 	}, {
4650 		.alg = "ctr(cast6)",
4651 		.test = alg_test_skcipher,
4652 		.suite = {
4653 			.cipher = __VECS(cast6_ctr_tv_template)
4654 		}
4655 	}, {
4656 		.alg = "ctr(des)",
4657 		.test = alg_test_skcipher,
4658 		.suite = {
4659 			.cipher = __VECS(des_ctr_tv_template)
4660 		}
4661 	}, {
4662 		.alg = "ctr(des3_ede)",
4663 		.test = alg_test_skcipher,
4664 		.suite = {
4665 			.cipher = __VECS(des3_ede_ctr_tv_template)
4666 		}
4667 	}, {
4668 		/* Same as ctr(aes) except the key is stored in
4669 		 * hardware secure memory which we reference by index
4670 		 */
4671 		.alg = "ctr(paes)",
4672 		.test = alg_test_null,
4673 		.fips_allowed = 1,
4674 	}, {
4675 
4676 		/* Same as ctr(sm4) except the key is stored in
4677 		 * hardware secure memory which we reference by index
4678 		 */
4679 		.alg = "ctr(psm4)",
4680 		.test = alg_test_null,
4681 	}, {
4682 		.alg = "ctr(serpent)",
4683 		.test = alg_test_skcipher,
4684 		.suite = {
4685 			.cipher = __VECS(serpent_ctr_tv_template)
4686 		}
4687 	}, {
4688 		.alg = "ctr(sm4)",
4689 		.test = alg_test_skcipher,
4690 		.suite = {
4691 			.cipher = __VECS(sm4_ctr_tv_template)
4692 		}
4693 	}, {
4694 		.alg = "ctr(twofish)",
4695 		.test = alg_test_skcipher,
4696 		.suite = {
4697 			.cipher = __VECS(tf_ctr_tv_template)
4698 		}
4699 	}, {
4700 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
4701 		.alg = "ctr-paes-s390",
4702 		.fips_allowed = 1,
4703 		.test = alg_test_skcipher,
4704 		.suite = {
4705 			.cipher = __VECS(aes_ctr_tv_template)
4706 		}
4707 	}, {
4708 #endif
4709 		.alg = "cts(cbc(aes))",
4710 		.test = alg_test_skcipher,
4711 		.fips_allowed = 1,
4712 		.suite = {
4713 			.cipher = __VECS(cts_mode_tv_template)
4714 		}
4715 	}, {
4716 		/* Same as cts(cbc((aes)) except the key is stored in
4717 		 * hardware secure memory which we reference by index
4718 		 */
4719 		.alg = "cts(cbc(paes))",
4720 		.test = alg_test_null,
4721 		.fips_allowed = 1,
4722 	}, {
4723 		.alg = "cts(cbc(sm4))",
4724 		.test = alg_test_skcipher,
4725 		.suite = {
4726 			.cipher = __VECS(sm4_cts_tv_template)
4727 		}
4728 	}, {
4729 		.alg = "curve25519",
4730 		.test = alg_test_kpp,
4731 		.suite = {
4732 			.kpp = __VECS(curve25519_tv_template)
4733 		}
4734 	}, {
4735 		.alg = "deflate",
4736 		.test = alg_test_comp,
4737 		.fips_allowed = 1,
4738 		.suite = {
4739 			.comp = {
4740 				.comp = __VECS(deflate_comp_tv_template),
4741 				.decomp = __VECS(deflate_decomp_tv_template)
4742 			}
4743 		}
4744 	}, {
4745 		.alg = "dh",
4746 		.test = alg_test_kpp,
4747 		.suite = {
4748 			.kpp = __VECS(dh_tv_template)
4749 		}
4750 	}, {
4751 		.alg = "digest_null",
4752 		.test = alg_test_null,
4753 	}, {
4754 		.alg = "drbg_nopr_ctr_aes128",
4755 		.test = alg_test_drbg,
4756 		.fips_allowed = 1,
4757 		.suite = {
4758 			.drbg = __VECS(drbg_nopr_ctr_aes128_tv_template)
4759 		}
4760 	}, {
4761 		.alg = "drbg_nopr_ctr_aes192",
4762 		.test = alg_test_drbg,
4763 		.fips_allowed = 1,
4764 		.suite = {
4765 			.drbg = __VECS(drbg_nopr_ctr_aes192_tv_template)
4766 		}
4767 	}, {
4768 		.alg = "drbg_nopr_ctr_aes256",
4769 		.test = alg_test_drbg,
4770 		.fips_allowed = 1,
4771 		.suite = {
4772 			.drbg = __VECS(drbg_nopr_ctr_aes256_tv_template)
4773 		}
4774 	}, {
4775 		/*
4776 		 * There is no need to specifically test the DRBG with every
4777 		 * backend cipher -- covered by drbg_nopr_hmac_sha256 test
4778 		 */
4779 		.alg = "drbg_nopr_hmac_sha1",
4780 		.fips_allowed = 1,
4781 		.test = alg_test_null,
4782 	}, {
4783 		.alg = "drbg_nopr_hmac_sha256",
4784 		.test = alg_test_drbg,
4785 		.fips_allowed = 1,
4786 		.suite = {
4787 			.drbg = __VECS(drbg_nopr_hmac_sha256_tv_template)
4788 		}
4789 	}, {
4790 		/* covered by drbg_nopr_hmac_sha256 test */
4791 		.alg = "drbg_nopr_hmac_sha384",
4792 		.test = alg_test_null,
4793 	}, {
4794 		.alg = "drbg_nopr_hmac_sha512",
4795 		.test = alg_test_drbg,
4796 		.fips_allowed = 1,
4797 		.suite = {
4798 			.drbg = __VECS(drbg_nopr_hmac_sha512_tv_template)
4799 		}
4800 	}, {
4801 		.alg = "drbg_nopr_sha1",
4802 		.fips_allowed = 1,
4803 		.test = alg_test_null,
4804 	}, {
4805 		.alg = "drbg_nopr_sha256",
4806 		.test = alg_test_drbg,
4807 		.fips_allowed = 1,
4808 		.suite = {
4809 			.drbg = __VECS(drbg_nopr_sha256_tv_template)
4810 		}
4811 	}, {
4812 		/* covered by drbg_nopr_sha256 test */
4813 		.alg = "drbg_nopr_sha384",
4814 		.test = alg_test_null,
4815 	}, {
4816 		.alg = "drbg_nopr_sha512",
4817 		.fips_allowed = 1,
4818 		.test = alg_test_null,
4819 	}, {
4820 		.alg = "drbg_pr_ctr_aes128",
4821 		.test = alg_test_drbg,
4822 		.fips_allowed = 1,
4823 		.suite = {
4824 			.drbg = __VECS(drbg_pr_ctr_aes128_tv_template)
4825 		}
4826 	}, {
4827 		/* covered by drbg_pr_ctr_aes128 test */
4828 		.alg = "drbg_pr_ctr_aes192",
4829 		.fips_allowed = 1,
4830 		.test = alg_test_null,
4831 	}, {
4832 		.alg = "drbg_pr_ctr_aes256",
4833 		.fips_allowed = 1,
4834 		.test = alg_test_null,
4835 	}, {
4836 		.alg = "drbg_pr_hmac_sha1",
4837 		.fips_allowed = 1,
4838 		.test = alg_test_null,
4839 	}, {
4840 		.alg = "drbg_pr_hmac_sha256",
4841 		.test = alg_test_drbg,
4842 		.fips_allowed = 1,
4843 		.suite = {
4844 			.drbg = __VECS(drbg_pr_hmac_sha256_tv_template)
4845 		}
4846 	}, {
4847 		/* covered by drbg_pr_hmac_sha256 test */
4848 		.alg = "drbg_pr_hmac_sha384",
4849 		.test = alg_test_null,
4850 	}, {
4851 		.alg = "drbg_pr_hmac_sha512",
4852 		.test = alg_test_null,
4853 		.fips_allowed = 1,
4854 	}, {
4855 		.alg = "drbg_pr_sha1",
4856 		.fips_allowed = 1,
4857 		.test = alg_test_null,
4858 	}, {
4859 		.alg = "drbg_pr_sha256",
4860 		.test = alg_test_drbg,
4861 		.fips_allowed = 1,
4862 		.suite = {
4863 			.drbg = __VECS(drbg_pr_sha256_tv_template)
4864 		}
4865 	}, {
4866 		/* covered by drbg_pr_sha256 test */
4867 		.alg = "drbg_pr_sha384",
4868 		.test = alg_test_null,
4869 	}, {
4870 		.alg = "drbg_pr_sha512",
4871 		.fips_allowed = 1,
4872 		.test = alg_test_null,
4873 	}, {
4874 		.alg = "ecb(aes)",
4875 		.test = alg_test_skcipher,
4876 		.fips_allowed = 1,
4877 		.suite = {
4878 			.cipher = __VECS(aes_tv_template)
4879 		}
4880 	}, {
4881 		.alg = "ecb(anubis)",
4882 		.test = alg_test_skcipher,
4883 		.suite = {
4884 			.cipher = __VECS(anubis_tv_template)
4885 		}
4886 	}, {
4887 		.alg = "ecb(arc4)",
4888 		.generic_driver = "ecb(arc4)-generic",
4889 		.test = alg_test_skcipher,
4890 		.suite = {
4891 			.cipher = __VECS(arc4_tv_template)
4892 		}
4893 	}, {
4894 		.alg = "ecb(aria)",
4895 		.test = alg_test_skcipher,
4896 		.suite = {
4897 			.cipher = __VECS(aria_tv_template)
4898 		}
4899 	}, {
4900 		.alg = "ecb(blowfish)",
4901 		.test = alg_test_skcipher,
4902 		.suite = {
4903 			.cipher = __VECS(bf_tv_template)
4904 		}
4905 	}, {
4906 		.alg = "ecb(camellia)",
4907 		.test = alg_test_skcipher,
4908 		.suite = {
4909 			.cipher = __VECS(camellia_tv_template)
4910 		}
4911 	}, {
4912 		.alg = "ecb(cast5)",
4913 		.test = alg_test_skcipher,
4914 		.suite = {
4915 			.cipher = __VECS(cast5_tv_template)
4916 		}
4917 	}, {
4918 		.alg = "ecb(cast6)",
4919 		.test = alg_test_skcipher,
4920 		.suite = {
4921 			.cipher = __VECS(cast6_tv_template)
4922 		}
4923 	}, {
4924 		.alg = "ecb(cipher_null)",
4925 		.test = alg_test_null,
4926 		.fips_allowed = 1,
4927 	}, {
4928 		.alg = "ecb(des)",
4929 		.test = alg_test_skcipher,
4930 		.suite = {
4931 			.cipher = __VECS(des_tv_template)
4932 		}
4933 	}, {
4934 		.alg = "ecb(des3_ede)",
4935 		.test = alg_test_skcipher,
4936 		.suite = {
4937 			.cipher = __VECS(des3_ede_tv_template)
4938 		}
4939 	}, {
4940 		.alg = "ecb(fcrypt)",
4941 		.test = alg_test_skcipher,
4942 		.suite = {
4943 			.cipher = {
4944 				.vecs = fcrypt_pcbc_tv_template,
4945 				.count = 1
4946 			}
4947 		}
4948 	}, {
4949 		.alg = "ecb(khazad)",
4950 		.test = alg_test_skcipher,
4951 		.suite = {
4952 			.cipher = __VECS(khazad_tv_template)
4953 		}
4954 	}, {
4955 		/* Same as ecb(aes) except the key is stored in
4956 		 * hardware secure memory which we reference by index
4957 		 */
4958 		.alg = "ecb(paes)",
4959 		.test = alg_test_null,
4960 		.fips_allowed = 1,
4961 	}, {
4962 		.alg = "ecb(seed)",
4963 		.test = alg_test_skcipher,
4964 		.suite = {
4965 			.cipher = __VECS(seed_tv_template)
4966 		}
4967 	}, {
4968 		.alg = "ecb(serpent)",
4969 		.test = alg_test_skcipher,
4970 		.suite = {
4971 			.cipher = __VECS(serpent_tv_template)
4972 		}
4973 	}, {
4974 		.alg = "ecb(sm4)",
4975 		.test = alg_test_skcipher,
4976 		.suite = {
4977 			.cipher = __VECS(sm4_tv_template)
4978 		}
4979 	}, {
4980 		.alg = "ecb(tea)",
4981 		.test = alg_test_skcipher,
4982 		.suite = {
4983 			.cipher = __VECS(tea_tv_template)
4984 		}
4985 	}, {
4986 		.alg = "ecb(twofish)",
4987 		.test = alg_test_skcipher,
4988 		.suite = {
4989 			.cipher = __VECS(tf_tv_template)
4990 		}
4991 	}, {
4992 		.alg = "ecb(xeta)",
4993 		.test = alg_test_skcipher,
4994 		.suite = {
4995 			.cipher = __VECS(xeta_tv_template)
4996 		}
4997 	}, {
4998 		.alg = "ecb(xtea)",
4999 		.test = alg_test_skcipher,
5000 		.suite = {
5001 			.cipher = __VECS(xtea_tv_template)
5002 		}
5003 	}, {
5004 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5005 		.alg = "ecb-paes-s390",
5006 		.fips_allowed = 1,
5007 		.test = alg_test_skcipher,
5008 		.suite = {
5009 			.cipher = __VECS(aes_tv_template)
5010 		}
5011 	}, {
5012 #endif
5013 		.alg = "ecdh-nist-p192",
5014 		.test = alg_test_kpp,
5015 		.suite = {
5016 			.kpp = __VECS(ecdh_p192_tv_template)
5017 		}
5018 	}, {
5019 		.alg = "ecdh-nist-p256",
5020 		.test = alg_test_kpp,
5021 		.fips_allowed = 1,
5022 		.suite = {
5023 			.kpp = __VECS(ecdh_p256_tv_template)
5024 		}
5025 	}, {
5026 		.alg = "ecdh-nist-p384",
5027 		.test = alg_test_kpp,
5028 		.fips_allowed = 1,
5029 		.suite = {
5030 			.kpp = __VECS(ecdh_p384_tv_template)
5031 		}
5032 	}, {
5033 		.alg = "ecdsa-nist-p192",
5034 		.test = alg_test_akcipher,
5035 		.suite = {
5036 			.akcipher = __VECS(ecdsa_nist_p192_tv_template)
5037 		}
5038 	}, {
5039 		.alg = "ecdsa-nist-p256",
5040 		.test = alg_test_akcipher,
5041 		.fips_allowed = 1,
5042 		.suite = {
5043 			.akcipher = __VECS(ecdsa_nist_p256_tv_template)
5044 		}
5045 	}, {
5046 		.alg = "ecdsa-nist-p384",
5047 		.test = alg_test_akcipher,
5048 		.fips_allowed = 1,
5049 		.suite = {
5050 			.akcipher = __VECS(ecdsa_nist_p384_tv_template)
5051 		}
5052 	}, {
5053 		.alg = "ecrdsa",
5054 		.test = alg_test_akcipher,
5055 		.suite = {
5056 			.akcipher = __VECS(ecrdsa_tv_template)
5057 		}
5058 	}, {
5059 		.alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)",
5060 		.test = alg_test_aead,
5061 		.fips_allowed = 1,
5062 		.suite = {
5063 			.aead = __VECS(essiv_hmac_sha256_aes_cbc_tv_temp)
5064 		}
5065 	}, {
5066 		.alg = "essiv(cbc(aes),sha256)",
5067 		.test = alg_test_skcipher,
5068 		.fips_allowed = 1,
5069 		.suite = {
5070 			.cipher = __VECS(essiv_aes_cbc_tv_template)
5071 		}
5072 	}, {
5073 #if IS_ENABLED(CONFIG_CRYPTO_DH_RFC7919_GROUPS)
5074 		.alg = "ffdhe2048(dh)",
5075 		.test = alg_test_kpp,
5076 		.fips_allowed = 1,
5077 		.suite = {
5078 			.kpp = __VECS(ffdhe2048_dh_tv_template)
5079 		}
5080 	}, {
5081 		.alg = "ffdhe3072(dh)",
5082 		.test = alg_test_kpp,
5083 		.fips_allowed = 1,
5084 		.suite = {
5085 			.kpp = __VECS(ffdhe3072_dh_tv_template)
5086 		}
5087 	}, {
5088 		.alg = "ffdhe4096(dh)",
5089 		.test = alg_test_kpp,
5090 		.fips_allowed = 1,
5091 		.suite = {
5092 			.kpp = __VECS(ffdhe4096_dh_tv_template)
5093 		}
5094 	}, {
5095 		.alg = "ffdhe6144(dh)",
5096 		.test = alg_test_kpp,
5097 		.fips_allowed = 1,
5098 		.suite = {
5099 			.kpp = __VECS(ffdhe6144_dh_tv_template)
5100 		}
5101 	}, {
5102 		.alg = "ffdhe8192(dh)",
5103 		.test = alg_test_kpp,
5104 		.fips_allowed = 1,
5105 		.suite = {
5106 			.kpp = __VECS(ffdhe8192_dh_tv_template)
5107 		}
5108 	}, {
5109 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
5110 		.alg = "gcm(aes)",
5111 		.generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)",
5112 		.test = alg_test_aead,
5113 		.fips_allowed = 1,
5114 		.suite = {
5115 			.aead = __VECS(aes_gcm_tv_template)
5116 		}
5117 	}, {
5118 		.alg = "gcm(aria)",
5119 		.generic_driver = "gcm_base(ctr(aria-generic),ghash-generic)",
5120 		.test = alg_test_aead,
5121 		.suite = {
5122 			.aead = __VECS(aria_gcm_tv_template)
5123 		}
5124 	}, {
5125 		.alg = "gcm(sm4)",
5126 		.generic_driver = "gcm_base(ctr(sm4-generic),ghash-generic)",
5127 		.test = alg_test_aead,
5128 		.suite = {
5129 			.aead = __VECS(sm4_gcm_tv_template)
5130 		}
5131 	}, {
5132 		.alg = "ghash",
5133 		.test = alg_test_hash,
5134 		.suite = {
5135 			.hash = __VECS(ghash_tv_template)
5136 		}
5137 	}, {
5138 		.alg = "hctr2(aes)",
5139 		.generic_driver =
5140 		    "hctr2_base(xctr(aes-generic),polyval-generic)",
5141 		.test = alg_test_skcipher,
5142 		.suite = {
5143 			.cipher = __VECS(aes_hctr2_tv_template)
5144 		}
5145 	}, {
5146 		.alg = "hmac(md5)",
5147 		.test = alg_test_hash,
5148 		.suite = {
5149 			.hash = __VECS(hmac_md5_tv_template)
5150 		}
5151 	}, {
5152 		.alg = "hmac(rmd160)",
5153 		.test = alg_test_hash,
5154 		.suite = {
5155 			.hash = __VECS(hmac_rmd160_tv_template)
5156 		}
5157 	}, {
5158 		.alg = "hmac(sha1)",
5159 		.test = alg_test_hash,
5160 		.fips_allowed = 1,
5161 		.suite = {
5162 			.hash = __VECS(hmac_sha1_tv_template)
5163 		}
5164 	}, {
5165 		.alg = "hmac(sha224)",
5166 		.test = alg_test_hash,
5167 		.fips_allowed = 1,
5168 		.suite = {
5169 			.hash = __VECS(hmac_sha224_tv_template)
5170 		}
5171 	}, {
5172 		.alg = "hmac(sha256)",
5173 		.test = alg_test_hash,
5174 		.fips_allowed = 1,
5175 		.suite = {
5176 			.hash = __VECS(hmac_sha256_tv_template)
5177 		}
5178 	}, {
5179 		.alg = "hmac(sha3-224)",
5180 		.test = alg_test_hash,
5181 		.fips_allowed = 1,
5182 		.suite = {
5183 			.hash = __VECS(hmac_sha3_224_tv_template)
5184 		}
5185 	}, {
5186 		.alg = "hmac(sha3-256)",
5187 		.test = alg_test_hash,
5188 		.fips_allowed = 1,
5189 		.suite = {
5190 			.hash = __VECS(hmac_sha3_256_tv_template)
5191 		}
5192 	}, {
5193 		.alg = "hmac(sha3-384)",
5194 		.test = alg_test_hash,
5195 		.fips_allowed = 1,
5196 		.suite = {
5197 			.hash = __VECS(hmac_sha3_384_tv_template)
5198 		}
5199 	}, {
5200 		.alg = "hmac(sha3-512)",
5201 		.test = alg_test_hash,
5202 		.fips_allowed = 1,
5203 		.suite = {
5204 			.hash = __VECS(hmac_sha3_512_tv_template)
5205 		}
5206 	}, {
5207 		.alg = "hmac(sha384)",
5208 		.test = alg_test_hash,
5209 		.fips_allowed = 1,
5210 		.suite = {
5211 			.hash = __VECS(hmac_sha384_tv_template)
5212 		}
5213 	}, {
5214 		.alg = "hmac(sha512)",
5215 		.test = alg_test_hash,
5216 		.fips_allowed = 1,
5217 		.suite = {
5218 			.hash = __VECS(hmac_sha512_tv_template)
5219 		}
5220 	}, {
5221 		.alg = "hmac(sm3)",
5222 		.test = alg_test_hash,
5223 		.suite = {
5224 			.hash = __VECS(hmac_sm3_tv_template)
5225 		}
5226 	}, {
5227 		.alg = "hmac(streebog256)",
5228 		.test = alg_test_hash,
5229 		.suite = {
5230 			.hash = __VECS(hmac_streebog256_tv_template)
5231 		}
5232 	}, {
5233 		.alg = "hmac(streebog512)",
5234 		.test = alg_test_hash,
5235 		.suite = {
5236 			.hash = __VECS(hmac_streebog512_tv_template)
5237 		}
5238 	}, {
5239 		.alg = "jitterentropy_rng",
5240 		.fips_allowed = 1,
5241 		.test = alg_test_null,
5242 	}, {
5243 		.alg = "kw(aes)",
5244 		.test = alg_test_skcipher,
5245 		.fips_allowed = 1,
5246 		.suite = {
5247 			.cipher = __VECS(aes_kw_tv_template)
5248 		}
5249 	}, {
5250 		.alg = "lrw(aes)",
5251 		.generic_driver = "lrw(ecb(aes-generic))",
5252 		.test = alg_test_skcipher,
5253 		.suite = {
5254 			.cipher = __VECS(aes_lrw_tv_template)
5255 		}
5256 	}, {
5257 		.alg = "lrw(camellia)",
5258 		.generic_driver = "lrw(ecb(camellia-generic))",
5259 		.test = alg_test_skcipher,
5260 		.suite = {
5261 			.cipher = __VECS(camellia_lrw_tv_template)
5262 		}
5263 	}, {
5264 		.alg = "lrw(cast6)",
5265 		.generic_driver = "lrw(ecb(cast6-generic))",
5266 		.test = alg_test_skcipher,
5267 		.suite = {
5268 			.cipher = __VECS(cast6_lrw_tv_template)
5269 		}
5270 	}, {
5271 		.alg = "lrw(serpent)",
5272 		.generic_driver = "lrw(ecb(serpent-generic))",
5273 		.test = alg_test_skcipher,
5274 		.suite = {
5275 			.cipher = __VECS(serpent_lrw_tv_template)
5276 		}
5277 	}, {
5278 		.alg = "lrw(twofish)",
5279 		.generic_driver = "lrw(ecb(twofish-generic))",
5280 		.test = alg_test_skcipher,
5281 		.suite = {
5282 			.cipher = __VECS(tf_lrw_tv_template)
5283 		}
5284 	}, {
5285 		.alg = "lz4",
5286 		.test = alg_test_comp,
5287 		.fips_allowed = 1,
5288 		.suite = {
5289 			.comp = {
5290 				.comp = __VECS(lz4_comp_tv_template),
5291 				.decomp = __VECS(lz4_decomp_tv_template)
5292 			}
5293 		}
5294 	}, {
5295 		.alg = "lz4hc",
5296 		.test = alg_test_comp,
5297 		.fips_allowed = 1,
5298 		.suite = {
5299 			.comp = {
5300 				.comp = __VECS(lz4hc_comp_tv_template),
5301 				.decomp = __VECS(lz4hc_decomp_tv_template)
5302 			}
5303 		}
5304 	}, {
5305 		.alg = "lzo",
5306 		.test = alg_test_comp,
5307 		.fips_allowed = 1,
5308 		.suite = {
5309 			.comp = {
5310 				.comp = __VECS(lzo_comp_tv_template),
5311 				.decomp = __VECS(lzo_decomp_tv_template)
5312 			}
5313 		}
5314 	}, {
5315 		.alg = "lzo-rle",
5316 		.test = alg_test_comp,
5317 		.fips_allowed = 1,
5318 		.suite = {
5319 			.comp = {
5320 				.comp = __VECS(lzorle_comp_tv_template),
5321 				.decomp = __VECS(lzorle_decomp_tv_template)
5322 			}
5323 		}
5324 	}, {
5325 		.alg = "md4",
5326 		.test = alg_test_hash,
5327 		.suite = {
5328 			.hash = __VECS(md4_tv_template)
5329 		}
5330 	}, {
5331 		.alg = "md5",
5332 		.test = alg_test_hash,
5333 		.suite = {
5334 			.hash = __VECS(md5_tv_template)
5335 		}
5336 	}, {
5337 		.alg = "michael_mic",
5338 		.test = alg_test_hash,
5339 		.suite = {
5340 			.hash = __VECS(michael_mic_tv_template)
5341 		}
5342 	}, {
5343 		.alg = "nhpoly1305",
5344 		.test = alg_test_hash,
5345 		.suite = {
5346 			.hash = __VECS(nhpoly1305_tv_template)
5347 		}
5348 	}, {
5349 		.alg = "ofb(aes)",
5350 		.test = alg_test_skcipher,
5351 		.fips_allowed = 1,
5352 		.suite = {
5353 			.cipher = __VECS(aes_ofb_tv_template)
5354 		}
5355 	}, {
5356 		/* Same as ofb(aes) except the key is stored in
5357 		 * hardware secure memory which we reference by index
5358 		 */
5359 		.alg = "ofb(paes)",
5360 		.test = alg_test_null,
5361 		.fips_allowed = 1,
5362 	}, {
5363 		.alg = "ofb(sm4)",
5364 		.test = alg_test_skcipher,
5365 		.suite = {
5366 			.cipher = __VECS(sm4_ofb_tv_template)
5367 		}
5368 	}, {
5369 		.alg = "pcbc(fcrypt)",
5370 		.test = alg_test_skcipher,
5371 		.suite = {
5372 			.cipher = __VECS(fcrypt_pcbc_tv_template)
5373 		}
5374 	}, {
5375 		.alg = "pkcs1pad(rsa,sha224)",
5376 		.test = alg_test_null,
5377 		.fips_allowed = 1,
5378 	}, {
5379 		.alg = "pkcs1pad(rsa,sha256)",
5380 		.test = alg_test_akcipher,
5381 		.fips_allowed = 1,
5382 		.suite = {
5383 			.akcipher = __VECS(pkcs1pad_rsa_tv_template)
5384 		}
5385 	}, {
5386 		.alg = "pkcs1pad(rsa,sha384)",
5387 		.test = alg_test_null,
5388 		.fips_allowed = 1,
5389 	}, {
5390 		.alg = "pkcs1pad(rsa,sha512)",
5391 		.test = alg_test_null,
5392 		.fips_allowed = 1,
5393 	}, {
5394 		.alg = "poly1305",
5395 		.test = alg_test_hash,
5396 		.suite = {
5397 			.hash = __VECS(poly1305_tv_template)
5398 		}
5399 	}, {
5400 		.alg = "polyval",
5401 		.test = alg_test_hash,
5402 		.suite = {
5403 			.hash = __VECS(polyval_tv_template)
5404 		}
5405 	}, {
5406 		.alg = "rfc3686(ctr(aes))",
5407 		.test = alg_test_skcipher,
5408 		.fips_allowed = 1,
5409 		.suite = {
5410 			.cipher = __VECS(aes_ctr_rfc3686_tv_template)
5411 		}
5412 	}, {
5413 		.alg = "rfc3686(ctr(sm4))",
5414 		.test = alg_test_skcipher,
5415 		.suite = {
5416 			.cipher = __VECS(sm4_ctr_rfc3686_tv_template)
5417 		}
5418 	}, {
5419 		.alg = "rfc4106(gcm(aes))",
5420 		.generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))",
5421 		.test = alg_test_aead,
5422 		.fips_allowed = 1,
5423 		.suite = {
5424 			.aead = {
5425 				____VECS(aes_gcm_rfc4106_tv_template),
5426 				.einval_allowed = 1,
5427 				.aad_iv = 1,
5428 			}
5429 		}
5430 	}, {
5431 		.alg = "rfc4309(ccm(aes))",
5432 		.generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))",
5433 		.test = alg_test_aead,
5434 		.fips_allowed = 1,
5435 		.suite = {
5436 			.aead = {
5437 				____VECS(aes_ccm_rfc4309_tv_template),
5438 				.einval_allowed = 1,
5439 				.aad_iv = 1,
5440 			}
5441 		}
5442 	}, {
5443 		.alg = "rfc4543(gcm(aes))",
5444 		.generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))",
5445 		.test = alg_test_aead,
5446 		.suite = {
5447 			.aead = {
5448 				____VECS(aes_gcm_rfc4543_tv_template),
5449 				.einval_allowed = 1,
5450 				.aad_iv = 1,
5451 			}
5452 		}
5453 	}, {
5454 		.alg = "rfc7539(chacha20,poly1305)",
5455 		.test = alg_test_aead,
5456 		.suite = {
5457 			.aead = __VECS(rfc7539_tv_template)
5458 		}
5459 	}, {
5460 		.alg = "rfc7539esp(chacha20,poly1305)",
5461 		.test = alg_test_aead,
5462 		.suite = {
5463 			.aead = {
5464 				____VECS(rfc7539esp_tv_template),
5465 				.einval_allowed = 1,
5466 				.aad_iv = 1,
5467 			}
5468 		}
5469 	}, {
5470 		.alg = "rmd160",
5471 		.test = alg_test_hash,
5472 		.suite = {
5473 			.hash = __VECS(rmd160_tv_template)
5474 		}
5475 	}, {
5476 		.alg = "rsa",
5477 		.test = alg_test_akcipher,
5478 		.fips_allowed = 1,
5479 		.suite = {
5480 			.akcipher = __VECS(rsa_tv_template)
5481 		}
5482 	}, {
5483 		.alg = "sha1",
5484 		.test = alg_test_hash,
5485 		.fips_allowed = 1,
5486 		.suite = {
5487 			.hash = __VECS(sha1_tv_template)
5488 		}
5489 	}, {
5490 		.alg = "sha224",
5491 		.test = alg_test_hash,
5492 		.fips_allowed = 1,
5493 		.suite = {
5494 			.hash = __VECS(sha224_tv_template)
5495 		}
5496 	}, {
5497 		.alg = "sha256",
5498 		.test = alg_test_hash,
5499 		.fips_allowed = 1,
5500 		.suite = {
5501 			.hash = __VECS(sha256_tv_template)
5502 		}
5503 	}, {
5504 		.alg = "sha3-224",
5505 		.test = alg_test_hash,
5506 		.fips_allowed = 1,
5507 		.suite = {
5508 			.hash = __VECS(sha3_224_tv_template)
5509 		}
5510 	}, {
5511 		.alg = "sha3-256",
5512 		.test = alg_test_hash,
5513 		.fips_allowed = 1,
5514 		.suite = {
5515 			.hash = __VECS(sha3_256_tv_template)
5516 		}
5517 	}, {
5518 		.alg = "sha3-384",
5519 		.test = alg_test_hash,
5520 		.fips_allowed = 1,
5521 		.suite = {
5522 			.hash = __VECS(sha3_384_tv_template)
5523 		}
5524 	}, {
5525 		.alg = "sha3-512",
5526 		.test = alg_test_hash,
5527 		.fips_allowed = 1,
5528 		.suite = {
5529 			.hash = __VECS(sha3_512_tv_template)
5530 		}
5531 	}, {
5532 		.alg = "sha384",
5533 		.test = alg_test_hash,
5534 		.fips_allowed = 1,
5535 		.suite = {
5536 			.hash = __VECS(sha384_tv_template)
5537 		}
5538 	}, {
5539 		.alg = "sha512",
5540 		.test = alg_test_hash,
5541 		.fips_allowed = 1,
5542 		.suite = {
5543 			.hash = __VECS(sha512_tv_template)
5544 		}
5545 	}, {
5546 		.alg = "sm2",
5547 		.test = alg_test_akcipher,
5548 		.suite = {
5549 			.akcipher = __VECS(sm2_tv_template)
5550 		}
5551 	}, {
5552 		.alg = "sm3",
5553 		.test = alg_test_hash,
5554 		.suite = {
5555 			.hash = __VECS(sm3_tv_template)
5556 		}
5557 	}, {
5558 		.alg = "streebog256",
5559 		.test = alg_test_hash,
5560 		.suite = {
5561 			.hash = __VECS(streebog256_tv_template)
5562 		}
5563 	}, {
5564 		.alg = "streebog512",
5565 		.test = alg_test_hash,
5566 		.suite = {
5567 			.hash = __VECS(streebog512_tv_template)
5568 		}
5569 	}, {
5570 		.alg = "vmac64(aes)",
5571 		.test = alg_test_hash,
5572 		.suite = {
5573 			.hash = __VECS(vmac64_aes_tv_template)
5574 		}
5575 	}, {
5576 		.alg = "wp256",
5577 		.test = alg_test_hash,
5578 		.suite = {
5579 			.hash = __VECS(wp256_tv_template)
5580 		}
5581 	}, {
5582 		.alg = "wp384",
5583 		.test = alg_test_hash,
5584 		.suite = {
5585 			.hash = __VECS(wp384_tv_template)
5586 		}
5587 	}, {
5588 		.alg = "wp512",
5589 		.test = alg_test_hash,
5590 		.suite = {
5591 			.hash = __VECS(wp512_tv_template)
5592 		}
5593 	}, {
5594 		.alg = "xcbc(aes)",
5595 		.test = alg_test_hash,
5596 		.suite = {
5597 			.hash = __VECS(aes_xcbc128_tv_template)
5598 		}
5599 	}, {
5600 		.alg = "xcbc(sm4)",
5601 		.test = alg_test_hash,
5602 		.suite = {
5603 			.hash = __VECS(sm4_xcbc128_tv_template)
5604 		}
5605 	}, {
5606 		.alg = "xchacha12",
5607 		.test = alg_test_skcipher,
5608 		.suite = {
5609 			.cipher = __VECS(xchacha12_tv_template)
5610 		},
5611 	}, {
5612 		.alg = "xchacha20",
5613 		.test = alg_test_skcipher,
5614 		.suite = {
5615 			.cipher = __VECS(xchacha20_tv_template)
5616 		},
5617 	}, {
5618 		.alg = "xctr(aes)",
5619 		.test = alg_test_skcipher,
5620 		.suite = {
5621 			.cipher = __VECS(aes_xctr_tv_template)
5622 		}
5623 	}, {
5624 		.alg = "xts(aes)",
5625 		.generic_driver = "xts(ecb(aes-generic))",
5626 		.test = alg_test_skcipher,
5627 		.fips_allowed = 1,
5628 		.suite = {
5629 			.cipher = __VECS(aes_xts_tv_template)
5630 		}
5631 	}, {
5632 		.alg = "xts(camellia)",
5633 		.generic_driver = "xts(ecb(camellia-generic))",
5634 		.test = alg_test_skcipher,
5635 		.suite = {
5636 			.cipher = __VECS(camellia_xts_tv_template)
5637 		}
5638 	}, {
5639 		.alg = "xts(cast6)",
5640 		.generic_driver = "xts(ecb(cast6-generic))",
5641 		.test = alg_test_skcipher,
5642 		.suite = {
5643 			.cipher = __VECS(cast6_xts_tv_template)
5644 		}
5645 	}, {
5646 		/* Same as xts(aes) except the key is stored in
5647 		 * hardware secure memory which we reference by index
5648 		 */
5649 		.alg = "xts(paes)",
5650 		.test = alg_test_null,
5651 		.fips_allowed = 1,
5652 	}, {
5653 		.alg = "xts(serpent)",
5654 		.generic_driver = "xts(ecb(serpent-generic))",
5655 		.test = alg_test_skcipher,
5656 		.suite = {
5657 			.cipher = __VECS(serpent_xts_tv_template)
5658 		}
5659 	}, {
5660 		.alg = "xts(sm4)",
5661 		.generic_driver = "xts(ecb(sm4-generic))",
5662 		.test = alg_test_skcipher,
5663 		.suite = {
5664 			.cipher = __VECS(sm4_xts_tv_template)
5665 		}
5666 	}, {
5667 		.alg = "xts(twofish)",
5668 		.generic_driver = "xts(ecb(twofish-generic))",
5669 		.test = alg_test_skcipher,
5670 		.suite = {
5671 			.cipher = __VECS(tf_xts_tv_template)
5672 		}
5673 	}, {
5674 #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390)
5675 		.alg = "xts-paes-s390",
5676 		.fips_allowed = 1,
5677 		.test = alg_test_skcipher,
5678 		.suite = {
5679 			.cipher = __VECS(aes_xts_tv_template)
5680 		}
5681 	}, {
5682 #endif
5683 		.alg = "xts4096(paes)",
5684 		.test = alg_test_null,
5685 		.fips_allowed = 1,
5686 	}, {
5687 		.alg = "xts512(paes)",
5688 		.test = alg_test_null,
5689 		.fips_allowed = 1,
5690 	}, {
5691 		.alg = "xxhash64",
5692 		.test = alg_test_hash,
5693 		.fips_allowed = 1,
5694 		.suite = {
5695 			.hash = __VECS(xxhash64_tv_template)
5696 		}
5697 	}, {
5698 		.alg = "zlib-deflate",
5699 		.test = alg_test_comp,
5700 		.fips_allowed = 1,
5701 		.suite = {
5702 			.comp = {
5703 				.comp = __VECS(zlib_deflate_comp_tv_template),
5704 				.decomp = __VECS(zlib_deflate_decomp_tv_template)
5705 			}
5706 		}
5707 	}, {
5708 		.alg = "zstd",
5709 		.test = alg_test_comp,
5710 		.fips_allowed = 1,
5711 		.suite = {
5712 			.comp = {
5713 				.comp = __VECS(zstd_comp_tv_template),
5714 				.decomp = __VECS(zstd_decomp_tv_template)
5715 			}
5716 		}
5717 	}
5718 };
5719 
5720 static void alg_check_test_descs_order(void)
5721 {
5722 	int i;
5723 
5724 	for (i = 1; i < ARRAY_SIZE(alg_test_descs); i++) {
5725 		int diff = strcmp(alg_test_descs[i - 1].alg,
5726 				  alg_test_descs[i].alg);
5727 
5728 		if (WARN_ON(diff > 0)) {
5729 			pr_warn("testmgr: alg_test_descs entries in wrong order: '%s' before '%s'\n",
5730 				alg_test_descs[i - 1].alg,
5731 				alg_test_descs[i].alg);
5732 		}
5733 
5734 		if (WARN_ON(diff == 0)) {
5735 			pr_warn("testmgr: duplicate alg_test_descs entry: '%s'\n",
5736 				alg_test_descs[i].alg);
5737 		}
5738 	}
5739 }
5740 
5741 static void alg_check_testvec_configs(void)
5742 {
5743 	int i;
5744 
5745 	for (i = 0; i < ARRAY_SIZE(default_cipher_testvec_configs); i++)
5746 		WARN_ON(!valid_testvec_config(
5747 				&default_cipher_testvec_configs[i]));
5748 
5749 	for (i = 0; i < ARRAY_SIZE(default_hash_testvec_configs); i++)
5750 		WARN_ON(!valid_testvec_config(
5751 				&default_hash_testvec_configs[i]));
5752 }
5753 
5754 static void testmgr_onetime_init(void)
5755 {
5756 	alg_check_test_descs_order();
5757 	alg_check_testvec_configs();
5758 
5759 #ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
5760 	pr_warn("alg: extra crypto tests enabled.  This is intended for developer use only.\n");
5761 #endif
5762 }
5763 
5764 static int alg_find_test(const char *alg)
5765 {
5766 	int start = 0;
5767 	int end = ARRAY_SIZE(alg_test_descs);
5768 
5769 	while (start < end) {
5770 		int i = (start + end) / 2;
5771 		int diff = strcmp(alg_test_descs[i].alg, alg);
5772 
5773 		if (diff > 0) {
5774 			end = i;
5775 			continue;
5776 		}
5777 
5778 		if (diff < 0) {
5779 			start = i + 1;
5780 			continue;
5781 		}
5782 
5783 		return i;
5784 	}
5785 
5786 	return -1;
5787 }
5788 
5789 static int alg_fips_disabled(const char *driver, const char *alg)
5790 {
5791 	pr_info("alg: %s (%s) is disabled due to FIPS\n", alg, driver);
5792 
5793 	return -ECANCELED;
5794 }
5795 
5796 int alg_test(const char *driver, const char *alg, u32 type, u32 mask)
5797 {
5798 	int i;
5799 	int j;
5800 	int rc;
5801 
5802 	if (!fips_enabled && notests) {
5803 		printk_once(KERN_INFO "alg: self-tests disabled\n");
5804 		return 0;
5805 	}
5806 
5807 	DO_ONCE(testmgr_onetime_init);
5808 
5809 	if ((type & CRYPTO_ALG_TYPE_MASK) == CRYPTO_ALG_TYPE_CIPHER) {
5810 		char nalg[CRYPTO_MAX_ALG_NAME];
5811 
5812 		if (snprintf(nalg, sizeof(nalg), "ecb(%s)", alg) >=
5813 		    sizeof(nalg))
5814 			return -ENAMETOOLONG;
5815 
5816 		i = alg_find_test(nalg);
5817 		if (i < 0)
5818 			goto notest;
5819 
5820 		if (fips_enabled && !alg_test_descs[i].fips_allowed)
5821 			goto non_fips_alg;
5822 
5823 		rc = alg_test_cipher(alg_test_descs + i, driver, type, mask);
5824 		goto test_done;
5825 	}
5826 
5827 	i = alg_find_test(alg);
5828 	j = alg_find_test(driver);
5829 	if (i < 0 && j < 0)
5830 		goto notest;
5831 
5832 	if (fips_enabled) {
5833 		if (j >= 0 && !alg_test_descs[j].fips_allowed)
5834 			return -EINVAL;
5835 
5836 		if (i >= 0 && !alg_test_descs[i].fips_allowed)
5837 			goto non_fips_alg;
5838 	}
5839 
5840 	rc = 0;
5841 	if (i >= 0)
5842 		rc |= alg_test_descs[i].test(alg_test_descs + i, driver,
5843 					     type, mask);
5844 	if (j >= 0 && j != i)
5845 		rc |= alg_test_descs[j].test(alg_test_descs + j, driver,
5846 					     type, mask);
5847 
5848 test_done:
5849 	if (rc) {
5850 		if (fips_enabled || panic_on_fail) {
5851 			fips_fail_notify();
5852 			panic("alg: self-tests for %s (%s) failed in %s mode!\n",
5853 			      driver, alg,
5854 			      fips_enabled ? "fips" : "panic_on_fail");
5855 		}
5856 		pr_warn("alg: self-tests for %s using %s failed (rc=%d)",
5857 			alg, driver, rc);
5858 		WARN(rc != -ENOENT,
5859 		     "alg: self-tests for %s using %s failed (rc=%d)",
5860 		     alg, driver, rc);
5861 	} else {
5862 		if (fips_enabled)
5863 			pr_info("alg: self-tests for %s (%s) passed\n",
5864 				driver, alg);
5865 	}
5866 
5867 	return rc;
5868 
5869 notest:
5870 	printk(KERN_INFO "alg: No test for %s (%s)\n", alg, driver);
5871 
5872 	if (type & CRYPTO_ALG_FIPS_INTERNAL)
5873 		return alg_fips_disabled(driver, alg);
5874 
5875 	return 0;
5876 non_fips_alg:
5877 	return alg_fips_disabled(driver, alg);
5878 }
5879 
5880 #endif /* CONFIG_CRYPTO_MANAGER_DISABLE_TESTS */
5881 
5882 EXPORT_SYMBOL_GPL(alg_test);
5883