aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-08-04 12:52:51 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-08-04 12:52:51 -0400
commit3e7a716a92a0e051f5502c7b689f8c9127c37c33 (patch)
tree2ebb892eb3a024f108e68a9577c767a53b955a4a /crypto
parentc2df436bd2504f52808c10ab7d7da832f61ad3f0 (diff)
parentce5481d01f67ad304908ec2113515440c0fa86eb (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto update from Herbert Xu: - CTR(AES) optimisation on x86_64 using "by8" AVX. - arm64 support to ccp - Intel QAT crypto driver - Qualcomm crypto engine driver - x86-64 assembly optimisation for 3DES - CTR(3DES) speed test - move FIPS panic from module.c so that it only triggers on crypto modules - SP800-90A Deterministic Random Bit Generator (drbg). - more test vectors for ghash. - tweak self tests to catch partial block bugs. - misc fixes. * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (94 commits) crypto: drbg - fix failure of generating multiple of 2**16 bytes crypto: ccp - Do not sign extend input data to CCP crypto: testmgr - add missing spaces to drbg error strings crypto: atmel-tdes - Switch to managed version of kzalloc crypto: atmel-sha - Switch to managed version of kzalloc crypto: testmgr - use chunks smaller than algo block size in chunk tests crypto: qat - Fixed SKU1 dev issue crypto: qat - Use hweight for bit counting crypto: qat - Updated print outputs crypto: qat - change ae_num to ae_id crypto: qat - change slice->regions to slice->region crypto: qat - use min_t macro crypto: qat - remove unnecessary parentheses crypto: qat - remove unneeded header crypto: qat - checkpatch blank lines crypto: qat - remove unnecessary return codes crypto: Resolve shadow warnings crypto: ccp - Remove "select OF" from Kconfig crypto: caam - fix DECO RSR polling crypto: qce - Let 'DEV_QCE' depend on both HAS_DMA and HAS_IOMEM ...
Diffstat (limited to 'crypto')
-rw-r--r--crypto/Kconfig50
-rw-r--r--crypto/Makefile1
-rw-r--r--crypto/algapi.c14
-rw-r--r--crypto/cryptd.c12
-rw-r--r--crypto/des_generic.c22
-rw-r--r--crypto/drbg.c2044
-rw-r--r--crypto/eseqiv.c8
-rw-r--r--crypto/gcm.c30
-rw-r--r--crypto/lzo.c8
-rw-r--r--crypto/seqiv.c16
-rw-r--r--crypto/tcrypt.c114
-rw-r--r--crypto/testmgr.c304
-rw-r--r--crypto/testmgr.h1158
13 files changed, 3546 insertions, 235 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index ce4012a58781..6345c470650d 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -23,7 +23,8 @@ comment "Crypto core or helper"
23 23
24config CRYPTO_FIPS 24config CRYPTO_FIPS
25 bool "FIPS 200 compliance" 25 bool "FIPS 200 compliance"
26 depends on CRYPTO_ANSI_CPRNG && !CRYPTO_MANAGER_DISABLE_TESTS 26 depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS
27 depends on MODULE_SIG
27 help 28 help
28 This options enables the fips boot option which is 29 This options enables the fips boot option which is
29 required if you want to system to operate in a FIPS 200 30 required if you want to system to operate in a FIPS 200
@@ -1019,6 +1020,19 @@ config CRYPTO_DES_SPARC64
1019 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3), 1020 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3),
1020 optimized using SPARC64 crypto opcodes. 1021 optimized using SPARC64 crypto opcodes.
1021 1022
1023config CRYPTO_DES3_EDE_X86_64
1024 tristate "Triple DES EDE cipher algorithm (x86-64)"
1025 depends on X86 && 64BIT
1026 select CRYPTO_ALGAPI
1027 select CRYPTO_DES
1028 help
1029 Triple DES EDE (FIPS 46-3) algorithm.
1030
1031 This module provides implementation of the Triple DES EDE cipher
1032 algorithm that is optimized for x86-64 processors. Two versions of
1033 algorithm are provided; regular processing one input block and
1034 one that processes three blocks parallel.
1035
1022config CRYPTO_FCRYPT 1036config CRYPTO_FCRYPT
1023 tristate "FCrypt cipher algorithm" 1037 tristate "FCrypt cipher algorithm"
1024 select CRYPTO_ALGAPI 1038 select CRYPTO_ALGAPI
@@ -1380,6 +1394,40 @@ config CRYPTO_ANSI_CPRNG
1380 ANSI X9.31 A.2.4. Note that this option must be enabled if 1394 ANSI X9.31 A.2.4. Note that this option must be enabled if
1381 CRYPTO_FIPS is selected 1395 CRYPTO_FIPS is selected
1382 1396
1397menuconfig CRYPTO_DRBG_MENU
1398 tristate "NIST SP800-90A DRBG"
1399 help
1400 NIST SP800-90A compliant DRBG. In the following submenu, one or
1401 more of the DRBG types must be selected.
1402
1403if CRYPTO_DRBG_MENU
1404
1405config CRYPTO_DRBG_HMAC
1406 bool "Enable HMAC DRBG"
1407 default y
1408 select CRYPTO_HMAC
1409 help
1410 Enable the HMAC DRBG variant as defined in NIST SP800-90A.
1411
1412config CRYPTO_DRBG_HASH
1413 bool "Enable Hash DRBG"
1414 select CRYPTO_HASH
1415 help
1416 Enable the Hash DRBG variant as defined in NIST SP800-90A.
1417
1418config CRYPTO_DRBG_CTR
1419 bool "Enable CTR DRBG"
1420 select CRYPTO_AES
1421 help
1422 Enable the CTR DRBG variant as defined in NIST SP800-90A.
1423
1424config CRYPTO_DRBG
1425 tristate
1426 default CRYPTO_DRBG_MENU if (CRYPTO_DRBG_HMAC || CRYPTO_DRBG_HASH || CRYPTO_DRBG_CTR)
1427 select CRYPTO_RNG
1428
1429endif # if CRYPTO_DRBG_MENU
1430
1383config CRYPTO_USER_API 1431config CRYPTO_USER_API
1384 tristate 1432 tristate
1385 1433
diff --git a/crypto/Makefile b/crypto/Makefile
index 38e64231dcd3..cfa57b3f5a4d 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -92,6 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o
92obj-$(CONFIG_CRYPTO_RNG2) += rng.o 92obj-$(CONFIG_CRYPTO_RNG2) += rng.o
93obj-$(CONFIG_CRYPTO_RNG2) += krng.o 93obj-$(CONFIG_CRYPTO_RNG2) += krng.o
94obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o 94obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o
95obj-$(CONFIG_CRYPTO_DRBG) += drbg.o
95obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o 96obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o
96obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o 97obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o
97obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o 98obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 7a1ae87f1683..e8d3a7dca8c4 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -41,8 +41,20 @@ static inline int crypto_set_driver_name(struct crypto_alg *alg)
41 return 0; 41 return 0;
42} 42}
43 43
44static inline void crypto_check_module_sig(struct module *mod)
45{
46#ifdef CONFIG_CRYPTO_FIPS
47 if (fips_enabled && mod && !mod->sig_ok)
48 panic("Module %s signature verification failed in FIPS mode\n",
49 mod->name);
50#endif
51 return;
52}
53
44static int crypto_check_alg(struct crypto_alg *alg) 54static int crypto_check_alg(struct crypto_alg *alg)
45{ 55{
56 crypto_check_module_sig(alg->cra_module);
57
46 if (alg->cra_alignmask & (alg->cra_alignmask + 1)) 58 if (alg->cra_alignmask & (alg->cra_alignmask + 1))
47 return -EINVAL; 59 return -EINVAL;
48 60
@@ -430,6 +442,8 @@ int crypto_register_template(struct crypto_template *tmpl)
430 442
431 down_write(&crypto_alg_sem); 443 down_write(&crypto_alg_sem);
432 444
445 crypto_check_module_sig(tmpl->module);
446
433 list_for_each_entry(q, &crypto_template_list, list) { 447 list_for_each_entry(q, &crypto_template_list, list) {
434 if (q == tmpl) 448 if (q == tmpl)
435 goto out; 449 goto out;
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 7bdd61b867c8..e592c90abebb 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -233,7 +233,7 @@ static void cryptd_blkcipher_decrypt(struct crypto_async_request *req, int err)
233} 233}
234 234
235static int cryptd_blkcipher_enqueue(struct ablkcipher_request *req, 235static int cryptd_blkcipher_enqueue(struct ablkcipher_request *req,
236 crypto_completion_t complete) 236 crypto_completion_t compl)
237{ 237{
238 struct cryptd_blkcipher_request_ctx *rctx = ablkcipher_request_ctx(req); 238 struct cryptd_blkcipher_request_ctx *rctx = ablkcipher_request_ctx(req);
239 struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); 239 struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
@@ -241,7 +241,7 @@ static int cryptd_blkcipher_enqueue(struct ablkcipher_request *req,
241 241
242 queue = cryptd_get_queue(crypto_ablkcipher_tfm(tfm)); 242 queue = cryptd_get_queue(crypto_ablkcipher_tfm(tfm));
243 rctx->complete = req->base.complete; 243 rctx->complete = req->base.complete;
244 req->base.complete = complete; 244 req->base.complete = compl;
245 245
246 return cryptd_enqueue_request(queue, &req->base); 246 return cryptd_enqueue_request(queue, &req->base);
247} 247}
@@ -414,7 +414,7 @@ static int cryptd_hash_setkey(struct crypto_ahash *parent,
414} 414}
415 415
416static int cryptd_hash_enqueue(struct ahash_request *req, 416static int cryptd_hash_enqueue(struct ahash_request *req,
417 crypto_completion_t complete) 417 crypto_completion_t compl)
418{ 418{
419 struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req); 419 struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
420 struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); 420 struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
@@ -422,7 +422,7 @@ static int cryptd_hash_enqueue(struct ahash_request *req,
422 cryptd_get_queue(crypto_ahash_tfm(tfm)); 422 cryptd_get_queue(crypto_ahash_tfm(tfm));
423 423
424 rctx->complete = req->base.complete; 424 rctx->complete = req->base.complete;
425 req->base.complete = complete; 425 req->base.complete = compl;
426 426
427 return cryptd_enqueue_request(queue, &req->base); 427 return cryptd_enqueue_request(queue, &req->base);
428} 428}
@@ -667,14 +667,14 @@ static void cryptd_aead_decrypt(struct crypto_async_request *areq, int err)
667} 667}
668 668
669static int cryptd_aead_enqueue(struct aead_request *req, 669static int cryptd_aead_enqueue(struct aead_request *req,
670 crypto_completion_t complete) 670 crypto_completion_t compl)
671{ 671{
672 struct cryptd_aead_request_ctx *rctx = aead_request_ctx(req); 672 struct cryptd_aead_request_ctx *rctx = aead_request_ctx(req);
673 struct crypto_aead *tfm = crypto_aead_reqtfm(req); 673 struct crypto_aead *tfm = crypto_aead_reqtfm(req);
674 struct cryptd_queue *queue = cryptd_get_queue(crypto_aead_tfm(tfm)); 674 struct cryptd_queue *queue = cryptd_get_queue(crypto_aead_tfm(tfm));
675 675
676 rctx->complete = req->base.complete; 676 rctx->complete = req->base.complete;
677 req->base.complete = complete; 677 req->base.complete = compl;
678 return cryptd_enqueue_request(queue, &req->base); 678 return cryptd_enqueue_request(queue, &req->base);
679} 679}
680 680
diff --git a/crypto/des_generic.c b/crypto/des_generic.c
index f6cf63f88468..298d464ab7d2 100644
--- a/crypto/des_generic.c
+++ b/crypto/des_generic.c
@@ -859,13 +859,10 @@ static void des_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
859 * property. 859 * property.
860 * 860 *
861 */ 861 */
862static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, 862int __des3_ede_setkey(u32 *expkey, u32 *flags, const u8 *key,
863 unsigned int keylen) 863 unsigned int keylen)
864{ 864{
865 const u32 *K = (const u32 *)key; 865 const u32 *K = (const u32 *)key;
866 struct des3_ede_ctx *dctx = crypto_tfm_ctx(tfm);
867 u32 *expkey = dctx->expkey;
868 u32 *flags = &tfm->crt_flags;
869 866
870 if (unlikely(!((K[0] ^ K[2]) | (K[1] ^ K[3])) || 867 if (unlikely(!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
871 !((K[2] ^ K[4]) | (K[3] ^ K[5]))) && 868 !((K[2] ^ K[4]) | (K[3] ^ K[5]))) &&
@@ -880,6 +877,17 @@ static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key,
880 877
881 return 0; 878 return 0;
882} 879}
880EXPORT_SYMBOL_GPL(__des3_ede_setkey);
881
882static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key,
883 unsigned int keylen)
884{
885 struct des3_ede_ctx *dctx = crypto_tfm_ctx(tfm);
886 u32 *flags = &tfm->crt_flags;
887 u32 *expkey = dctx->expkey;
888
889 return __des3_ede_setkey(expkey, flags, key, keylen);
890}
883 891
884static void des3_ede_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 892static void des3_ede_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
885{ 893{
@@ -945,6 +953,8 @@ static void des3_ede_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
945 953
946static struct crypto_alg des_algs[2] = { { 954static struct crypto_alg des_algs[2] = { {
947 .cra_name = "des", 955 .cra_name = "des",
956 .cra_driver_name = "des-generic",
957 .cra_priority = 100,
948 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 958 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
949 .cra_blocksize = DES_BLOCK_SIZE, 959 .cra_blocksize = DES_BLOCK_SIZE,
950 .cra_ctxsize = sizeof(struct des_ctx), 960 .cra_ctxsize = sizeof(struct des_ctx),
@@ -958,6 +968,8 @@ static struct crypto_alg des_algs[2] = { {
958 .cia_decrypt = des_decrypt } } 968 .cia_decrypt = des_decrypt } }
959}, { 969}, {
960 .cra_name = "des3_ede", 970 .cra_name = "des3_ede",
971 .cra_driver_name = "des3_ede-generic",
972 .cra_priority = 100,
961 .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 973 .cra_flags = CRYPTO_ALG_TYPE_CIPHER,
962 .cra_blocksize = DES3_EDE_BLOCK_SIZE, 974 .cra_blocksize = DES3_EDE_BLOCK_SIZE,
963 .cra_ctxsize = sizeof(struct des3_ede_ctx), 975 .cra_ctxsize = sizeof(struct des3_ede_ctx),
diff --git a/crypto/drbg.c b/crypto/drbg.c
new file mode 100644
index 000000000000..7894db9ca90b
--- /dev/null
+++ b/crypto/drbg.c
@@ -0,0 +1,2044 @@
1/*
2 * DRBG: Deterministic Random Bits Generator
3 * Based on NIST Recommended DRBG from NIST SP800-90A with the following
4 * properties:
5 * * CTR DRBG with DF with AES-128, AES-192, AES-256 cores
6 * * Hash DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
7 * * HMAC DRBG with DF with SHA-1, SHA-256, SHA-384, SHA-512 cores
8 * * with and without prediction resistance
9 *
10 * Copyright Stephan Mueller <smueller@chronox.de>, 2014
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, and the entire permission notice in its entirety,
17 * including the disclaimer of warranties.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. The name of the author may not be used to endorse or promote
22 * products derived from this software without specific prior
23 * written permission.
24 *
25 * ALTERNATIVELY, this product may be distributed under the terms of
26 * the GNU General Public License, in which case the provisions of the GPL are
27 * required INSTEAD OF the above restrictions. (This clause is
28 * necessary due to a potential bad interaction between the GPL and
29 * the restrictions contained in a BSD-style copyright.)
30 *
31 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
32 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
33 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
34 * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
35 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
36 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
37 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
38 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
39 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
40 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
41 * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
42 * DAMAGE.
43 *
44 * DRBG Usage
45 * ==========
46 * The SP 800-90A DRBG allows the user to specify a personalization string
47 * for initialization as well as an additional information string for each
48 * random number request. The following code fragments show how a caller
49 * uses the kernel crypto API to use the full functionality of the DRBG.
50 *
51 * Usage without any additional data
52 * ---------------------------------
53 * struct crypto_rng *drng;
54 * int err;
55 * char data[DATALEN];
56 *
57 * drng = crypto_alloc_rng(drng_name, 0, 0);
58 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
59 * crypto_free_rng(drng);
60 *
61 *
62 * Usage with personalization string during initialization
63 * -------------------------------------------------------
64 * struct crypto_rng *drng;
65 * int err;
66 * char data[DATALEN];
67 * struct drbg_string pers;
68 * char personalization[11] = "some-string";
69 *
70 * drbg_string_fill(&pers, personalization, strlen(personalization));
71 * drng = crypto_alloc_rng(drng_name, 0, 0);
72 * // The reset completely re-initializes the DRBG with the provided
73 * // personalization string
74 * err = crypto_rng_reset(drng, &personalization, strlen(personalization));
75 * err = crypto_rng_get_bytes(drng, &data, DATALEN);
76 * crypto_free_rng(drng);
77 *
78 *
79 * Usage with additional information string during random number request
80 * ---------------------------------------------------------------------
81 * struct crypto_rng *drng;
82 * int err;
83 * char data[DATALEN];
84 * char addtl_string[11] = "some-string";
85 * string drbg_string addtl;
86 *
87 * drbg_string_fill(&addtl, addtl_string, strlen(addtl_string));
88 * drng = crypto_alloc_rng(drng_name, 0, 0);
89 * // The following call is a wrapper to crypto_rng_get_bytes() and returns
90 * // the same error codes.
91 * err = crypto_drbg_get_bytes_addtl(drng, &data, DATALEN, &addtl);
92 * crypto_free_rng(drng);
93 *
94 *
95 * Usage with personalization and additional information strings
96 * -------------------------------------------------------------
97 * Just mix both scenarios above.
98 */
99
100#include <crypto/drbg.h>
101
102/***************************************************************
103 * Backend cipher definitions available to DRBG
104 ***************************************************************/
105
106/*
107 * The order of the DRBG definitions here matter: every DRBG is registered
108 * as stdrng. Each DRBG receives an increasing cra_priority values the later
109 * they are defined in this array (see drbg_fill_array).
110 *
111 * HMAC DRBGs are favored over Hash DRBGs over CTR DRBGs, and
112 * the SHA256 / AES 256 over other ciphers. Thus, the favored
113 * DRBGs are the latest entries in this array.
114 */
115static const struct drbg_core drbg_cores[] = {
116#ifdef CONFIG_CRYPTO_DRBG_CTR
117 {
118 .flags = DRBG_CTR | DRBG_STRENGTH128,
119 .statelen = 32, /* 256 bits as defined in 10.2.1 */
120 .max_addtllen = 35,
121 .max_bits = 19,
122 .max_req = 48,
123 .blocklen_bytes = 16,
124 .cra_name = "ctr_aes128",
125 .backend_cra_name = "ecb(aes)",
126 }, {
127 .flags = DRBG_CTR | DRBG_STRENGTH192,
128 .statelen = 40, /* 320 bits as defined in 10.2.1 */
129 .max_addtllen = 35,
130 .max_bits = 19,
131 .max_req = 48,
132 .blocklen_bytes = 16,
133 .cra_name = "ctr_aes192",
134 .backend_cra_name = "ecb(aes)",
135 }, {
136 .flags = DRBG_CTR | DRBG_STRENGTH256,
137 .statelen = 48, /* 384 bits as defined in 10.2.1 */
138 .max_addtllen = 35,
139 .max_bits = 19,
140 .max_req = 48,
141 .blocklen_bytes = 16,
142 .cra_name = "ctr_aes256",
143 .backend_cra_name = "ecb(aes)",
144 },
145#endif /* CONFIG_CRYPTO_DRBG_CTR */
146#ifdef CONFIG_CRYPTO_DRBG_HASH
147 {
148 .flags = DRBG_HASH | DRBG_STRENGTH128,
149 .statelen = 55, /* 440 bits */
150 .max_addtllen = 35,
151 .max_bits = 19,
152 .max_req = 48,
153 .blocklen_bytes = 20,
154 .cra_name = "sha1",
155 .backend_cra_name = "sha1",
156 }, {
157 .flags = DRBG_HASH | DRBG_STRENGTH256,
158 .statelen = 111, /* 888 bits */
159 .max_addtllen = 35,
160 .max_bits = 19,
161 .max_req = 48,
162 .blocklen_bytes = 48,
163 .cra_name = "sha384",
164 .backend_cra_name = "sha384",
165 }, {
166 .flags = DRBG_HASH | DRBG_STRENGTH256,
167 .statelen = 111, /* 888 bits */
168 .max_addtllen = 35,
169 .max_bits = 19,
170 .max_req = 48,
171 .blocklen_bytes = 64,
172 .cra_name = "sha512",
173 .backend_cra_name = "sha512",
174 }, {
175 .flags = DRBG_HASH | DRBG_STRENGTH256,
176 .statelen = 55, /* 440 bits */
177 .max_addtllen = 35,
178 .max_bits = 19,
179 .max_req = 48,
180 .blocklen_bytes = 32,
181 .cra_name = "sha256",
182 .backend_cra_name = "sha256",
183 },
184#endif /* CONFIG_CRYPTO_DRBG_HASH */
185#ifdef CONFIG_CRYPTO_DRBG_HMAC
186 {
187 .flags = DRBG_HMAC | DRBG_STRENGTH128,
188 .statelen = 20, /* block length of cipher */
189 .max_addtllen = 35,
190 .max_bits = 19,
191 .max_req = 48,
192 .blocklen_bytes = 20,
193 .cra_name = "hmac_sha1",
194 .backend_cra_name = "hmac(sha1)",
195 }, {
196 .flags = DRBG_HMAC | DRBG_STRENGTH256,
197 .statelen = 48, /* block length of cipher */
198 .max_addtllen = 35,
199 .max_bits = 19,
200 .max_req = 48,
201 .blocklen_bytes = 48,
202 .cra_name = "hmac_sha384",
203 .backend_cra_name = "hmac(sha384)",
204 }, {
205 .flags = DRBG_HMAC | DRBG_STRENGTH256,
206 .statelen = 64, /* block length of cipher */
207 .max_addtllen = 35,
208 .max_bits = 19,
209 .max_req = 48,
210 .blocklen_bytes = 64,
211 .cra_name = "hmac_sha512",
212 .backend_cra_name = "hmac(sha512)",
213 }, {
214 .flags = DRBG_HMAC | DRBG_STRENGTH256,
215 .statelen = 32, /* block length of cipher */
216 .max_addtllen = 35,
217 .max_bits = 19,
218 .max_req = 48,
219 .blocklen_bytes = 32,
220 .cra_name = "hmac_sha256",
221 .backend_cra_name = "hmac(sha256)",
222 },
223#endif /* CONFIG_CRYPTO_DRBG_HMAC */
224};
225
226/******************************************************************
227 * Generic helper functions
228 ******************************************************************/
229
230/*
231 * Return strength of DRBG according to SP800-90A section 8.4
232 *
233 * @flags DRBG flags reference
234 *
235 * Return: normalized strength in *bytes* value or 32 as default
236 * to counter programming errors
237 */
238static inline unsigned short drbg_sec_strength(drbg_flag_t flags)
239{
240 switch (flags & DRBG_STRENGTH_MASK) {
241 case DRBG_STRENGTH128:
242 return 16;
243 case DRBG_STRENGTH192:
244 return 24;
245 case DRBG_STRENGTH256:
246 return 32;
247 default:
248 return 32;
249 }
250}
251
252/*
253 * FIPS 140-2 continuous self test
254 * The test is performed on the result of one round of the output
255 * function. Thus, the function implicitly knows the size of the
256 * buffer.
257 *
258 * The FIPS test can be called in an endless loop until it returns
259 * true. Although the code looks like a potential for a deadlock, it
260 * is not the case, because returning a false cannot mathematically
261 * occur (except once when a reseed took place and the updated state
262 * would is now set up such that the generation of new value returns
263 * an identical one -- this is most unlikely and would happen only once).
264 * Thus, if this function repeatedly returns false and thus would cause
265 * a deadlock, the integrity of the entire kernel is lost.
266 *
267 * @drbg DRBG handle
268 * @buf output buffer of random data to be checked
269 *
270 * return:
271 * true on success
272 * false on error
273 */
274static bool drbg_fips_continuous_test(struct drbg_state *drbg,
275 const unsigned char *buf)
276{
277#ifdef CONFIG_CRYPTO_FIPS
278 int ret = 0;
279 /* skip test if we test the overall system */
280 if (drbg->test_data)
281 return true;
282 /* only perform test in FIPS mode */
283 if (0 == fips_enabled)
284 return true;
285 if (!drbg->fips_primed) {
286 /* Priming of FIPS test */
287 memcpy(drbg->prev, buf, drbg_blocklen(drbg));
288 drbg->fips_primed = true;
289 /* return false due to priming, i.e. another round is needed */
290 return false;
291 }
292 ret = memcmp(drbg->prev, buf, drbg_blocklen(drbg));
293 memcpy(drbg->prev, buf, drbg_blocklen(drbg));
294 /* the test shall pass when the two compared values are not equal */
295 return ret != 0;
296#else
297 return true;
298#endif /* CONFIG_CRYPTO_FIPS */
299}
300
301/*
302 * Convert an integer into a byte representation of this integer.
303 * The byte representation is big-endian
304 *
305 * @buf buffer holding the converted integer
306 * @val value to be converted
307 * @buflen length of buffer
308 */
309#if (defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR))
310static inline void drbg_int2byte(unsigned char *buf, uint64_t val,
311 size_t buflen)
312{
313 unsigned char *byte;
314 uint64_t i;
315
316 byte = buf + (buflen - 1);
317 for (i = 0; i < buflen; i++)
318 *(byte--) = val >> (i * 8) & 0xff;
319}
320
321/*
322 * Increment buffer
323 *
324 * @dst buffer to increment
325 * @add value to add
326 */
327static inline void drbg_add_buf(unsigned char *dst, size_t dstlen,
328 const unsigned char *add, size_t addlen)
329{
330 /* implied: dstlen > addlen */
331 unsigned char *dstptr;
332 const unsigned char *addptr;
333 unsigned int remainder = 0;
334 size_t len = addlen;
335
336 dstptr = dst + (dstlen-1);
337 addptr = add + (addlen-1);
338 while (len) {
339 remainder += *dstptr + *addptr;
340 *dstptr = remainder & 0xff;
341 remainder >>= 8;
342 len--; dstptr--; addptr--;
343 }
344 len = dstlen - addlen;
345 while (len && remainder > 0) {
346 remainder = *dstptr + 1;
347 *dstptr = remainder & 0xff;
348 remainder >>= 8;
349 len--; dstptr--;
350 }
351}
352#endif /* defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_CTR) */
353
354/******************************************************************
355 * CTR DRBG callback functions
356 ******************************************************************/
357
358#ifdef CONFIG_CRYPTO_DRBG_CTR
359#define CRYPTO_DRBG_CTR_STRING "CTR "
360static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
361 unsigned char *outval, const struct drbg_string *in);
362static int drbg_init_sym_kernel(struct drbg_state *drbg);
363static int drbg_fini_sym_kernel(struct drbg_state *drbg);
364
365/* BCC function for CTR DRBG as defined in 10.4.3 */
366static int drbg_ctr_bcc(struct drbg_state *drbg,
367 unsigned char *out, const unsigned char *key,
368 struct list_head *in)
369{
370 int ret = 0;
371 struct drbg_string *curr = NULL;
372 struct drbg_string data;
373 short cnt = 0;
374
375 drbg_string_fill(&data, out, drbg_blocklen(drbg));
376
377 /* 10.4.3 step 1 */
378 memset(out, 0, drbg_blocklen(drbg));
379
380 /* 10.4.3 step 2 / 4 */
381 list_for_each_entry(curr, in, list) {
382 const unsigned char *pos = curr->buf;
383 size_t len = curr->len;
384 /* 10.4.3 step 4.1 */
385 while (len) {
386 /* 10.4.3 step 4.2 */
387 if (drbg_blocklen(drbg) == cnt) {
388 cnt = 0;
389 ret = drbg_kcapi_sym(drbg, key, out, &data);
390 if (ret)
391 return ret;
392 }
393 out[cnt] ^= *pos;
394 pos++;
395 cnt++;
396 len--;
397 }
398 }
399 /* 10.4.3 step 4.2 for last block */
400 if (cnt)
401 ret = drbg_kcapi_sym(drbg, key, out, &data);
402
403 return ret;
404}
405
406/*
407 * scratchpad usage: drbg_ctr_update is interlinked with drbg_ctr_df
408 * (and drbg_ctr_bcc, but this function does not need any temporary buffers),
409 * the scratchpad is used as follows:
410 * drbg_ctr_update:
411 * temp
412 * start: drbg->scratchpad
413 * length: drbg_statelen(drbg) + drbg_blocklen(drbg)
414 * note: the cipher writing into this variable works
415 * blocklen-wise. Now, when the statelen is not a multiple
416 * of blocklen, the generateion loop below "spills over"
417 * by at most blocklen. Thus, we need to give sufficient
418 * memory.
419 * df_data
420 * start: drbg->scratchpad +
421 * drbg_statelen(drbg) + drbg_blocklen(drbg)
422 * length: drbg_statelen(drbg)
423 *
424 * drbg_ctr_df:
425 * pad
426 * start: df_data + drbg_statelen(drbg)
427 * length: drbg_blocklen(drbg)
428 * iv
429 * start: pad + drbg_blocklen(drbg)
430 * length: drbg_blocklen(drbg)
431 * temp
432 * start: iv + drbg_blocklen(drbg)
433 * length: drbg_satelen(drbg) + drbg_blocklen(drbg)
434 * note: temp is the buffer that the BCC function operates
435 * on. BCC operates blockwise. drbg_statelen(drbg)
436 * is sufficient when the DRBG state length is a multiple
437 * of the block size. For AES192 (and maybe other ciphers)
438 * this is not correct and the length for temp is
439 * insufficient (yes, that also means for such ciphers,
440 * the final output of all BCC rounds are truncated).
441 * Therefore, add drbg_blocklen(drbg) to cover all
442 * possibilities.
443 */
444
445/* Derivation Function for CTR DRBG as defined in 10.4.2 */
446static int drbg_ctr_df(struct drbg_state *drbg,
447 unsigned char *df_data, size_t bytes_to_return,
448 struct list_head *seedlist)
449{
450 int ret = -EFAULT;
451 unsigned char L_N[8];
452 /* S3 is input */
453 struct drbg_string S1, S2, S4, cipherin;
454 LIST_HEAD(bcc_list);
455 unsigned char *pad = df_data + drbg_statelen(drbg);
456 unsigned char *iv = pad + drbg_blocklen(drbg);
457 unsigned char *temp = iv + drbg_blocklen(drbg);
458 size_t padlen = 0;
459 unsigned int templen = 0;
460 /* 10.4.2 step 7 */
461 unsigned int i = 0;
462 /* 10.4.2 step 8 */
463 const unsigned char *K = (unsigned char *)
464 "\x00\x01\x02\x03\x04\x05\x06\x07"
465 "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
466 "\x10\x11\x12\x13\x14\x15\x16\x17"
467 "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
468 unsigned char *X;
469 size_t generated_len = 0;
470 size_t inputlen = 0;
471 struct drbg_string *seed = NULL;
472
473 memset(pad, 0, drbg_blocklen(drbg));
474 memset(iv, 0, drbg_blocklen(drbg));
475 memset(temp, 0, drbg_statelen(drbg));
476
477 /* 10.4.2 step 1 is implicit as we work byte-wise */
478
479 /* 10.4.2 step 2 */
480 if ((512/8) < bytes_to_return)
481 return -EINVAL;
482
483 /* 10.4.2 step 2 -- calculate the entire length of all input data */
484 list_for_each_entry(seed, seedlist, list)
485 inputlen += seed->len;
486 drbg_int2byte(&L_N[0], inputlen, 4);
487
488 /* 10.4.2 step 3 */
489 drbg_int2byte(&L_N[4], bytes_to_return, 4);
490
491 /* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
492 padlen = (inputlen + sizeof(L_N) + 1) % (drbg_blocklen(drbg));
493 /* wrap the padlen appropriately */
494 if (padlen)
495 padlen = drbg_blocklen(drbg) - padlen;
496 /*
497 * pad / padlen contains the 0x80 byte and the following zero bytes.
498 * As the calculated padlen value only covers the number of zero
499 * bytes, this value has to be incremented by one for the 0x80 byte.
500 */
501 padlen++;
502 pad[0] = 0x80;
503
504 /* 10.4.2 step 4 -- first fill the linked list and then order it */
505 drbg_string_fill(&S1, iv, drbg_blocklen(drbg));
506 list_add_tail(&S1.list, &bcc_list);
507 drbg_string_fill(&S2, L_N, sizeof(L_N));
508 list_add_tail(&S2.list, &bcc_list);
509 list_splice_tail(seedlist, &bcc_list);
510 drbg_string_fill(&S4, pad, padlen);
511 list_add_tail(&S4.list, &bcc_list);
512
513 /* 10.4.2 step 9 */
514 while (templen < (drbg_keylen(drbg) + (drbg_blocklen(drbg)))) {
515 /*
516 * 10.4.2 step 9.1 - the padding is implicit as the buffer
517 * holds zeros after allocation -- even the increment of i
518 * is irrelevant as the increment remains within length of i
519 */
520 drbg_int2byte(iv, i, 4);
521 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */
522 ret = drbg_ctr_bcc(drbg, temp + templen, K, &bcc_list);
523 if (ret)
524 goto out;
525 /* 10.4.2 step 9.3 */
526 i++;
527 templen += drbg_blocklen(drbg);
528 }
529
530 /* 10.4.2 step 11 */
531 X = temp + (drbg_keylen(drbg));
532 drbg_string_fill(&cipherin, X, drbg_blocklen(drbg));
533
534 /* 10.4.2 step 12: overwriting of outval is implemented in next step */
535
536 /* 10.4.2 step 13 */
537 while (generated_len < bytes_to_return) {
538 short blocklen = 0;
539 /*
540 * 10.4.2 step 13.1: the truncation of the key length is
541 * implicit as the key is only drbg_blocklen in size based on
542 * the implementation of the cipher function callback
543 */
544 ret = drbg_kcapi_sym(drbg, temp, X, &cipherin);
545 if (ret)
546 goto out;
547 blocklen = (drbg_blocklen(drbg) <
548 (bytes_to_return - generated_len)) ?
549 drbg_blocklen(drbg) :
550 (bytes_to_return - generated_len);
551 /* 10.4.2 step 13.2 and 14 */
552 memcpy(df_data + generated_len, X, blocklen);
553 generated_len += blocklen;
554 }
555
556 ret = 0;
557
558out:
559 memset(iv, 0, drbg_blocklen(drbg));
560 memset(temp, 0, drbg_statelen(drbg));
561 memset(pad, 0, drbg_blocklen(drbg));
562 return ret;
563}
564
565/*
566 * update function of CTR DRBG as defined in 10.2.1.2
567 *
568 * The reseed variable has an enhanced meaning compared to the update
569 * functions of the other DRBGs as follows:
570 * 0 => initial seed from initialization
571 * 1 => reseed via drbg_seed
572 * 2 => first invocation from drbg_ctr_update when addtl is present. In
573 * this case, the df_data scratchpad is not deleted so that it is
574 * available for another calls to prevent calling the DF function
575 * again.
576 * 3 => second invocation from drbg_ctr_update. When the update function
577 * was called with addtl, the df_data memory already contains the
578 * DFed addtl information and we do not need to call DF again.
579 */
580static int drbg_ctr_update(struct drbg_state *drbg, struct list_head *seed,
581 int reseed)
582{
583 int ret = -EFAULT;
584 /* 10.2.1.2 step 1 */
585 unsigned char *temp = drbg->scratchpad;
586 unsigned char *df_data = drbg->scratchpad + drbg_statelen(drbg) +
587 drbg_blocklen(drbg);
588 unsigned char *temp_p, *df_data_p; /* pointer to iterate over buffers */
589 unsigned int len = 0;
590 struct drbg_string cipherin;
591 unsigned char prefix = DRBG_PREFIX1;
592
593 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
594 if (3 > reseed)
595 memset(df_data, 0, drbg_statelen(drbg));
596
597 /* 10.2.1.3.2 step 2 and 10.2.1.4.2 step 2 */
598 if (seed) {
599 ret = drbg_ctr_df(drbg, df_data, drbg_statelen(drbg), seed);
600 if (ret)
601 goto out;
602 }
603
604 drbg_string_fill(&cipherin, drbg->V, drbg_blocklen(drbg));
605 /*
606 * 10.2.1.3.2 steps 2 and 3 are already covered as the allocation
607 * zeroizes all memory during initialization
608 */
609 while (len < (drbg_statelen(drbg))) {
610 /* 10.2.1.2 step 2.1 */
611 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1);
612 /*
613 * 10.2.1.2 step 2.2 */
614 ret = drbg_kcapi_sym(drbg, drbg->C, temp + len, &cipherin);
615 if (ret)
616 goto out;
617 /* 10.2.1.2 step 2.3 and 3 */
618 len += drbg_blocklen(drbg);
619 }
620
621 /* 10.2.1.2 step 4 */
622 temp_p = temp;
623 df_data_p = df_data;
624 for (len = 0; len < drbg_statelen(drbg); len++) {
625 *temp_p ^= *df_data_p;
626 df_data_p++; temp_p++;
627 }
628
629 /* 10.2.1.2 step 5 */
630 memcpy(drbg->C, temp, drbg_keylen(drbg));
631 /* 10.2.1.2 step 6 */
632 memcpy(drbg->V, temp + drbg_keylen(drbg), drbg_blocklen(drbg));
633 ret = 0;
634
635out:
636 memset(temp, 0, drbg_statelen(drbg) + drbg_blocklen(drbg));
637 if (2 != reseed)
638 memset(df_data, 0, drbg_statelen(drbg));
639 return ret;
640}
641
642/*
643 * scratchpad use: drbg_ctr_update is called independently from
644 * drbg_ctr_extract_bytes. Therefore, the scratchpad is reused
645 */
646/* Generate function of CTR DRBG as defined in 10.2.1.5.2 */
647static int drbg_ctr_generate(struct drbg_state *drbg,
648 unsigned char *buf, unsigned int buflen,
649 struct list_head *addtl)
650{
651 int len = 0;
652 int ret = 0;
653 struct drbg_string data;
654 unsigned char prefix = DRBG_PREFIX1;
655
656 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
657
658 /* 10.2.1.5.2 step 2 */
659 if (addtl && !list_empty(addtl)) {
660 ret = drbg_ctr_update(drbg, addtl, 2);
661 if (ret)
662 return 0;
663 }
664
665 /* 10.2.1.5.2 step 4.1 */
666 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1);
667 drbg_string_fill(&data, drbg->V, drbg_blocklen(drbg));
668 while (len < buflen) {
669 int outlen = 0;
670 /* 10.2.1.5.2 step 4.2 */
671 ret = drbg_kcapi_sym(drbg, drbg->C, drbg->scratchpad, &data);
672 if (ret) {
673 len = ret;
674 goto out;
675 }
676 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
677 drbg_blocklen(drbg) : (buflen - len);
678 if (!drbg_fips_continuous_test(drbg, drbg->scratchpad)) {
679 /* 10.2.1.5.2 step 6 */
680 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1);
681 continue;
682 }
683 /* 10.2.1.5.2 step 4.3 */
684 memcpy(buf + len, drbg->scratchpad, outlen);
685 len += outlen;
686 /* 10.2.1.5.2 step 6 */
687 if (len < buflen)
688 drbg_add_buf(drbg->V, drbg_blocklen(drbg), &prefix, 1);
689 }
690
691 /* 10.2.1.5.2 step 6 */
692 ret = drbg_ctr_update(drbg, NULL, 3);
693 if (ret)
694 len = ret;
695
696out:
697 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
698 return len;
699}
700
701static struct drbg_state_ops drbg_ctr_ops = {
702 .update = drbg_ctr_update,
703 .generate = drbg_ctr_generate,
704 .crypto_init = drbg_init_sym_kernel,
705 .crypto_fini = drbg_fini_sym_kernel,
706};
707#endif /* CONFIG_CRYPTO_DRBG_CTR */
708
709/******************************************************************
710 * HMAC DRBG callback functions
711 ******************************************************************/
712
713#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
714static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
715 unsigned char *outval, const struct list_head *in);
716static int drbg_init_hash_kernel(struct drbg_state *drbg);
717static int drbg_fini_hash_kernel(struct drbg_state *drbg);
718#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
719
720#ifdef CONFIG_CRYPTO_DRBG_HMAC
721#define CRYPTO_DRBG_HMAC_STRING "HMAC "
722/* update function of HMAC DRBG as defined in 10.1.2.2 */
723static int drbg_hmac_update(struct drbg_state *drbg, struct list_head *seed,
724 int reseed)
725{
726 int ret = -EFAULT;
727 int i = 0;
728 struct drbg_string seed1, seed2, vdata;
729 LIST_HEAD(seedlist);
730 LIST_HEAD(vdatalist);
731
732 if (!reseed) {
733 /* 10.1.2.3 step 2 */
734 memset(drbg->C, 0, drbg_statelen(drbg));
735 memset(drbg->V, 1, drbg_statelen(drbg));
736 }
737
738 drbg_string_fill(&seed1, drbg->V, drbg_statelen(drbg));
739 list_add_tail(&seed1.list, &seedlist);
740 /* buffer of seed2 will be filled in for loop below with one byte */
741 drbg_string_fill(&seed2, NULL, 1);
742 list_add_tail(&seed2.list, &seedlist);
743 /* input data of seed is allowed to be NULL at this point */
744 if (seed)
745 list_splice_tail(seed, &seedlist);
746
747 drbg_string_fill(&vdata, drbg->V, drbg_statelen(drbg));
748 list_add_tail(&vdata.list, &vdatalist);
749 for (i = 2; 0 < i; i--) {
750 /* first round uses 0x0, second 0x1 */
751 unsigned char prefix = DRBG_PREFIX0;
752 if (1 == i)
753 prefix = DRBG_PREFIX1;
754 /* 10.1.2.2 step 1 and 4 -- concatenation and HMAC for key */
755 seed2.buf = &prefix;
756 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->C, &seedlist);
757 if (ret)
758 return ret;
759
760 /* 10.1.2.2 step 2 and 5 -- HMAC for V */
761 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &vdatalist);
762 if (ret)
763 return ret;
764
765 /* 10.1.2.2 step 3 */
766 if (!seed)
767 return ret;
768 }
769
770 return 0;
771}
772
773/* generate function of HMAC DRBG as defined in 10.1.2.5 */
774static int drbg_hmac_generate(struct drbg_state *drbg,
775 unsigned char *buf,
776 unsigned int buflen,
777 struct list_head *addtl)
778{
779 int len = 0;
780 int ret = 0;
781 struct drbg_string data;
782 LIST_HEAD(datalist);
783
784 /* 10.1.2.5 step 2 */
785 if (addtl && !list_empty(addtl)) {
786 ret = drbg_hmac_update(drbg, addtl, 1);
787 if (ret)
788 return ret;
789 }
790
791 drbg_string_fill(&data, drbg->V, drbg_statelen(drbg));
792 list_add_tail(&data.list, &datalist);
793 while (len < buflen) {
794 unsigned int outlen = 0;
795 /* 10.1.2.5 step 4.1 */
796 ret = drbg_kcapi_hash(drbg, drbg->C, drbg->V, &datalist);
797 if (ret)
798 return ret;
799 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
800 drbg_blocklen(drbg) : (buflen - len);
801 if (!drbg_fips_continuous_test(drbg, drbg->V))
802 continue;
803
804 /* 10.1.2.5 step 4.2 */
805 memcpy(buf + len, drbg->V, outlen);
806 len += outlen;
807 }
808
809 /* 10.1.2.5 step 6 */
810 if (addtl && !list_empty(addtl))
811 ret = drbg_hmac_update(drbg, addtl, 1);
812 else
813 ret = drbg_hmac_update(drbg, NULL, 1);
814 if (ret)
815 return ret;
816
817 return len;
818}
819
820static struct drbg_state_ops drbg_hmac_ops = {
821 .update = drbg_hmac_update,
822 .generate = drbg_hmac_generate,
823 .crypto_init = drbg_init_hash_kernel,
824 .crypto_fini = drbg_fini_hash_kernel,
825
826};
827#endif /* CONFIG_CRYPTO_DRBG_HMAC */
828
829/******************************************************************
830 * Hash DRBG callback functions
831 ******************************************************************/
832
833#ifdef CONFIG_CRYPTO_DRBG_HASH
834#define CRYPTO_DRBG_HASH_STRING "HASH "
835/*
836 * scratchpad usage: as drbg_hash_update and drbg_hash_df are used
837 * interlinked, the scratchpad is used as follows:
838 * drbg_hash_update
839 * start: drbg->scratchpad
840 * length: drbg_statelen(drbg)
841 * drbg_hash_df:
842 * start: drbg->scratchpad + drbg_statelen(drbg)
843 * length: drbg_blocklen(drbg)
844 *
845 * drbg_hash_process_addtl uses the scratchpad, but fully completes
846 * before either of the functions mentioned before are invoked. Therefore,
847 * drbg_hash_process_addtl does not need to be specifically considered.
848 */
849
850/* Derivation Function for Hash DRBG as defined in 10.4.1 */
851static int drbg_hash_df(struct drbg_state *drbg,
852 unsigned char *outval, size_t outlen,
853 struct list_head *entropylist)
854{
855 int ret = 0;
856 size_t len = 0;
857 unsigned char input[5];
858 unsigned char *tmp = drbg->scratchpad + drbg_statelen(drbg);
859 struct drbg_string data;
860
861 memset(tmp, 0, drbg_blocklen(drbg));
862
863 /* 10.4.1 step 3 */
864 input[0] = 1;
865 drbg_int2byte(&input[1], (outlen * 8), 4);
866
867 /* 10.4.1 step 4.1 -- concatenation of data for input into hash */
868 drbg_string_fill(&data, input, 5);
869 list_add(&data.list, entropylist);
870
871 /* 10.4.1 step 4 */
872 while (len < outlen) {
873 short blocklen = 0;
874 /* 10.4.1 step 4.1 */
875 ret = drbg_kcapi_hash(drbg, NULL, tmp, entropylist);
876 if (ret)
877 goto out;
878 /* 10.4.1 step 4.2 */
879 input[0]++;
880 blocklen = (drbg_blocklen(drbg) < (outlen - len)) ?
881 drbg_blocklen(drbg) : (outlen - len);
882 memcpy(outval + len, tmp, blocklen);
883 len += blocklen;
884 }
885
886out:
887 memset(tmp, 0, drbg_blocklen(drbg));
888 return ret;
889}
890
891/* update function for Hash DRBG as defined in 10.1.1.2 / 10.1.1.3 */
892static int drbg_hash_update(struct drbg_state *drbg, struct list_head *seed,
893 int reseed)
894{
895 int ret = 0;
896 struct drbg_string data1, data2;
897 LIST_HEAD(datalist);
898 LIST_HEAD(datalist2);
899 unsigned char *V = drbg->scratchpad;
900 unsigned char prefix = DRBG_PREFIX1;
901
902 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
903 if (!seed)
904 return -EINVAL;
905
906 if (reseed) {
907 /* 10.1.1.3 step 1 */
908 memcpy(V, drbg->V, drbg_statelen(drbg));
909 drbg_string_fill(&data1, &prefix, 1);
910 list_add_tail(&data1.list, &datalist);
911 drbg_string_fill(&data2, V, drbg_statelen(drbg));
912 list_add_tail(&data2.list, &datalist);
913 }
914 list_splice_tail(seed, &datalist);
915
916 /* 10.1.1.2 / 10.1.1.3 step 2 and 3 */
917 ret = drbg_hash_df(drbg, drbg->V, drbg_statelen(drbg), &datalist);
918 if (ret)
919 goto out;
920
921 /* 10.1.1.2 / 10.1.1.3 step 4 */
922 prefix = DRBG_PREFIX0;
923 drbg_string_fill(&data1, &prefix, 1);
924 list_add_tail(&data1.list, &datalist2);
925 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
926 list_add_tail(&data2.list, &datalist2);
927 /* 10.1.1.2 / 10.1.1.3 step 4 */
928 ret = drbg_hash_df(drbg, drbg->C, drbg_statelen(drbg), &datalist2);
929
930out:
931 memset(drbg->scratchpad, 0, drbg_statelen(drbg));
932 return ret;
933}
934
935/* processing of additional information string for Hash DRBG */
936static int drbg_hash_process_addtl(struct drbg_state *drbg,
937 struct list_head *addtl)
938{
939 int ret = 0;
940 struct drbg_string data1, data2;
941 LIST_HEAD(datalist);
942 unsigned char prefix = DRBG_PREFIX2;
943
944 /* this is value w as per documentation */
945 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
946
947 /* 10.1.1.4 step 2 */
948 if (!addtl || list_empty(addtl))
949 return 0;
950
951 /* 10.1.1.4 step 2a */
952 drbg_string_fill(&data1, &prefix, 1);
953 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
954 list_add_tail(&data1.list, &datalist);
955 list_add_tail(&data2.list, &datalist);
956 list_splice_tail(addtl, &datalist);
957 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
958 if (ret)
959 goto out;
960
961 /* 10.1.1.4 step 2b */
962 drbg_add_buf(drbg->V, drbg_statelen(drbg),
963 drbg->scratchpad, drbg_blocklen(drbg));
964
965out:
966 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
967 return ret;
968}
969
970/* Hashgen defined in 10.1.1.4 */
971static int drbg_hash_hashgen(struct drbg_state *drbg,
972 unsigned char *buf,
973 unsigned int buflen)
974{
975 int len = 0;
976 int ret = 0;
977 unsigned char *src = drbg->scratchpad;
978 unsigned char *dst = drbg->scratchpad + drbg_statelen(drbg);
979 struct drbg_string data;
980 LIST_HEAD(datalist);
981 unsigned char prefix = DRBG_PREFIX1;
982
983 memset(src, 0, drbg_statelen(drbg));
984 memset(dst, 0, drbg_blocklen(drbg));
985
986 /* 10.1.1.4 step hashgen 2 */
987 memcpy(src, drbg->V, drbg_statelen(drbg));
988
989 drbg_string_fill(&data, src, drbg_statelen(drbg));
990 list_add_tail(&data.list, &datalist);
991 while (len < buflen) {
992 unsigned int outlen = 0;
993 /* 10.1.1.4 step hashgen 4.1 */
994 ret = drbg_kcapi_hash(drbg, NULL, dst, &datalist);
995 if (ret) {
996 len = ret;
997 goto out;
998 }
999 outlen = (drbg_blocklen(drbg) < (buflen - len)) ?
1000 drbg_blocklen(drbg) : (buflen - len);
1001 if (!drbg_fips_continuous_test(drbg, dst)) {
1002 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1);
1003 continue;
1004 }
1005 /* 10.1.1.4 step hashgen 4.2 */
1006 memcpy(buf + len, dst, outlen);
1007 len += outlen;
1008 /* 10.1.1.4 hashgen step 4.3 */
1009 if (len < buflen)
1010 drbg_add_buf(src, drbg_statelen(drbg), &prefix, 1);
1011 }
1012
1013out:
1014 memset(drbg->scratchpad, 0,
1015 (drbg_statelen(drbg) + drbg_blocklen(drbg)));
1016 return len;
1017}
1018
1019/* generate function for Hash DRBG as defined in 10.1.1.4 */
1020static int drbg_hash_generate(struct drbg_state *drbg,
1021 unsigned char *buf, unsigned int buflen,
1022 struct list_head *addtl)
1023{
1024 int len = 0;
1025 int ret = 0;
1026 unsigned char req[8];
1027 unsigned char prefix = DRBG_PREFIX3;
1028 struct drbg_string data1, data2;
1029 LIST_HEAD(datalist);
1030
1031 /* 10.1.1.4 step 2 */
1032 ret = drbg_hash_process_addtl(drbg, addtl);
1033 if (ret)
1034 return ret;
1035 /* 10.1.1.4 step 3 */
1036 len = drbg_hash_hashgen(drbg, buf, buflen);
1037
1038 /* this is the value H as documented in 10.1.1.4 */
1039 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1040 /* 10.1.1.4 step 4 */
1041 drbg_string_fill(&data1, &prefix, 1);
1042 list_add_tail(&data1.list, &datalist);
1043 drbg_string_fill(&data2, drbg->V, drbg_statelen(drbg));
1044 list_add_tail(&data2.list, &datalist);
1045 ret = drbg_kcapi_hash(drbg, NULL, drbg->scratchpad, &datalist);
1046 if (ret) {
1047 len = ret;
1048 goto out;
1049 }
1050
1051 /* 10.1.1.4 step 5 */
1052 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1053 drbg->scratchpad, drbg_blocklen(drbg));
1054 drbg_add_buf(drbg->V, drbg_statelen(drbg),
1055 drbg->C, drbg_statelen(drbg));
1056 drbg_int2byte(req, drbg->reseed_ctr, sizeof(req));
1057 drbg_add_buf(drbg->V, drbg_statelen(drbg), req, 8);
1058
1059out:
1060 memset(drbg->scratchpad, 0, drbg_blocklen(drbg));
1061 return len;
1062}
1063
1064/*
1065 * scratchpad usage: as update and generate are used isolated, both
1066 * can use the scratchpad
1067 */
1068static struct drbg_state_ops drbg_hash_ops = {
1069 .update = drbg_hash_update,
1070 .generate = drbg_hash_generate,
1071 .crypto_init = drbg_init_hash_kernel,
1072 .crypto_fini = drbg_fini_hash_kernel,
1073};
1074#endif /* CONFIG_CRYPTO_DRBG_HASH */
1075
1076/******************************************************************
1077 * Functions common for DRBG implementations
1078 ******************************************************************/
1079
1080/*
1081 * Seeding or reseeding of the DRBG
1082 *
1083 * @drbg: DRBG state struct
1084 * @pers: personalization / additional information buffer
1085 * @reseed: 0 for initial seed process, 1 for reseeding
1086 *
1087 * return:
1088 * 0 on success
1089 * error value otherwise
1090 */
1091static int drbg_seed(struct drbg_state *drbg, struct drbg_string *pers,
1092 bool reseed)
1093{
1094 int ret = 0;
1095 unsigned char *entropy = NULL;
1096 size_t entropylen = 0;
1097 struct drbg_string data1;
1098 LIST_HEAD(seedlist);
1099
1100 /* 9.1 / 9.2 / 9.3.1 step 3 */
1101 if (pers && pers->len > (drbg_max_addtl(drbg))) {
1102 pr_devel("DRBG: personalization string too long %zu\n",
1103 pers->len);
1104 return -EINVAL;
1105 }
1106
1107 if (drbg->test_data && drbg->test_data->testentropy) {
1108 drbg_string_fill(&data1, drbg->test_data->testentropy->buf,
1109 drbg->test_data->testentropy->len);
1110 pr_devel("DRBG: using test entropy\n");
1111 } else {
1112 /*
1113 * Gather entropy equal to the security strength of the DRBG.
1114 * With a derivation function, a nonce is required in addition
1115 * to the entropy. A nonce must be at least 1/2 of the security
1116 * strength of the DRBG in size. Thus, entropy * nonce is 3/2
1117 * of the strength. The consideration of a nonce is only
1118 * applicable during initial seeding.
1119 */
1120 entropylen = drbg_sec_strength(drbg->core->flags);
1121 if (!entropylen)
1122 return -EFAULT;
1123 if (!reseed)
1124 entropylen = ((entropylen + 1) / 2) * 3;
1125 pr_devel("DRBG: (re)seeding with %zu bytes of entropy\n",
1126 entropylen);
1127 entropy = kzalloc(entropylen, GFP_KERNEL);
1128 if (!entropy)
1129 return -ENOMEM;
1130 get_random_bytes(entropy, entropylen);
1131 drbg_string_fill(&data1, entropy, entropylen);
1132 }
1133 list_add_tail(&data1.list, &seedlist);
1134
1135 /*
1136 * concatenation of entropy with personalization str / addtl input)
1137 * the variable pers is directly handed in by the caller, so check its
1138 * contents whether it is appropriate
1139 */
1140 if (pers && pers->buf && 0 < pers->len) {
1141 list_add_tail(&pers->list, &seedlist);
1142 pr_devel("DRBG: using personalization string\n");
1143 }
1144
1145 ret = drbg->d_ops->update(drbg, &seedlist, reseed);
1146 if (ret)
1147 goto out;
1148
1149 drbg->seeded = true;
1150 /* 10.1.1.2 / 10.1.1.3 step 5 */
1151 drbg->reseed_ctr = 1;
1152
1153out:
1154 if (entropy)
1155 kzfree(entropy);
1156 return ret;
1157}
1158
1159/* Free all substructures in a DRBG state without the DRBG state structure */
1160static inline void drbg_dealloc_state(struct drbg_state *drbg)
1161{
1162 if (!drbg)
1163 return;
1164 if (drbg->V)
1165 kzfree(drbg->V);
1166 drbg->V = NULL;
1167 if (drbg->C)
1168 kzfree(drbg->C);
1169 drbg->C = NULL;
1170 if (drbg->scratchpad)
1171 kzfree(drbg->scratchpad);
1172 drbg->scratchpad = NULL;
1173 drbg->reseed_ctr = 0;
1174#ifdef CONFIG_CRYPTO_FIPS
1175 if (drbg->prev)
1176 kzfree(drbg->prev);
1177 drbg->prev = NULL;
1178 drbg->fips_primed = false;
1179#endif
1180}
1181
1182/*
1183 * Allocate all sub-structures for a DRBG state.
1184 * The DRBG state structure must already be allocated.
1185 */
1186static inline int drbg_alloc_state(struct drbg_state *drbg)
1187{
1188 int ret = -ENOMEM;
1189 unsigned int sb_size = 0;
1190
1191 if (!drbg)
1192 return -EINVAL;
1193
1194 drbg->V = kzalloc(drbg_statelen(drbg), GFP_KERNEL);
1195 if (!drbg->V)
1196 goto err;
1197 drbg->C = kzalloc(drbg_statelen(drbg), GFP_KERNEL);
1198 if (!drbg->C)
1199 goto err;
1200#ifdef CONFIG_CRYPTO_FIPS
1201 drbg->prev = kzalloc(drbg_blocklen(drbg), GFP_KERNEL);
1202 if (!drbg->prev)
1203 goto err;
1204 drbg->fips_primed = false;
1205#endif
1206 /* scratchpad is only generated for CTR and Hash */
1207 if (drbg->core->flags & DRBG_HMAC)
1208 sb_size = 0;
1209 else if (drbg->core->flags & DRBG_CTR)
1210 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg) + /* temp */
1211 drbg_statelen(drbg) + /* df_data */
1212 drbg_blocklen(drbg) + /* pad */
1213 drbg_blocklen(drbg) + /* iv */
1214 drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */
1215 else
1216 sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg);
1217
1218 if (0 < sb_size) {
1219 drbg->scratchpad = kzalloc(sb_size, GFP_KERNEL);
1220 if (!drbg->scratchpad)
1221 goto err;
1222 }
1223 spin_lock_init(&drbg->drbg_lock);
1224 return 0;
1225
1226err:
1227 drbg_dealloc_state(drbg);
1228 return ret;
1229}
1230
1231/*
1232 * Strategy to avoid holding long term locks: generate a shadow copy of DRBG
1233 * and perform all operations on this shadow copy. After finishing, restore
1234 * the updated state of the shadow copy into original drbg state. This way,
1235 * only the read and write operations of the original drbg state must be
1236 * locked
1237 */
1238static inline void drbg_copy_drbg(struct drbg_state *src,
1239 struct drbg_state *dst)
1240{
1241 if (!src || !dst)
1242 return;
1243 memcpy(dst->V, src->V, drbg_statelen(src));
1244 memcpy(dst->C, src->C, drbg_statelen(src));
1245 dst->reseed_ctr = src->reseed_ctr;
1246 dst->seeded = src->seeded;
1247 dst->pr = src->pr;
1248#ifdef CONFIG_CRYPTO_FIPS
1249 dst->fips_primed = src->fips_primed;
1250 memcpy(dst->prev, src->prev, drbg_blocklen(src));
1251#endif
1252 /*
1253 * Not copied:
1254 * scratchpad is initialized drbg_alloc_state;
1255 * priv_data is initialized with call to crypto_init;
1256 * d_ops and core are set outside, as these parameters are const;
1257 * test_data is set outside to prevent it being copied back.
1258 */
1259}
1260
1261static int drbg_make_shadow(struct drbg_state *drbg, struct drbg_state **shadow)
1262{
1263 int ret = -ENOMEM;
1264 struct drbg_state *tmp = NULL;
1265
1266 if (!drbg || !drbg->core || !drbg->V || !drbg->C) {
1267 pr_devel("DRBG: attempt to generate shadow copy for "
1268 "uninitialized DRBG state rejected\n");
1269 return -EINVAL;
1270 }
1271 /* HMAC does not have a scratchpad */
1272 if (!(drbg->core->flags & DRBG_HMAC) && NULL == drbg->scratchpad)
1273 return -EINVAL;
1274
1275 tmp = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1276 if (!tmp)
1277 return -ENOMEM;
1278
1279 /* read-only data as they are defined as const, no lock needed */
1280 tmp->core = drbg->core;
1281 tmp->d_ops = drbg->d_ops;
1282
1283 ret = drbg_alloc_state(tmp);
1284 if (ret)
1285 goto err;
1286
1287 spin_lock_bh(&drbg->drbg_lock);
1288 drbg_copy_drbg(drbg, tmp);
1289 /* only make a link to the test buffer, as we only read that data */
1290 tmp->test_data = drbg->test_data;
1291 spin_unlock_bh(&drbg->drbg_lock);
1292 *shadow = tmp;
1293 return 0;
1294
1295err:
1296 if (tmp)
1297 kzfree(tmp);
1298 return ret;
1299}
1300
1301static void drbg_restore_shadow(struct drbg_state *drbg,
1302 struct drbg_state **shadow)
1303{
1304 struct drbg_state *tmp = *shadow;
1305
1306 spin_lock_bh(&drbg->drbg_lock);
1307 drbg_copy_drbg(tmp, drbg);
1308 spin_unlock_bh(&drbg->drbg_lock);
1309 drbg_dealloc_state(tmp);
1310 kzfree(tmp);
1311 *shadow = NULL;
1312}
1313
1314/*************************************************************************
1315 * DRBG interface functions
1316 *************************************************************************/
1317
1318/*
1319 * DRBG generate function as required by SP800-90A - this function
1320 * generates random numbers
1321 *
1322 * @drbg DRBG state handle
1323 * @buf Buffer where to store the random numbers -- the buffer must already
1324 * be pre-allocated by caller
1325 * @buflen Length of output buffer - this value defines the number of random
1326 * bytes pulled from DRBG
1327 * @addtl Additional input that is mixed into state, may be NULL -- note
1328 * the entropy is pulled by the DRBG internally unconditionally
1329 * as defined in SP800-90A. The additional input is mixed into
1330 * the state in addition to the pulled entropy.
1331 *
1332 * return: generated number of bytes
1333 */
1334static int drbg_generate(struct drbg_state *drbg,
1335 unsigned char *buf, unsigned int buflen,
1336 struct drbg_string *addtl)
1337{
1338 int len = 0;
1339 struct drbg_state *shadow = NULL;
1340 LIST_HEAD(addtllist);
1341 struct drbg_string timestamp;
1342 union {
1343 cycles_t cycles;
1344 unsigned char char_cycles[sizeof(cycles_t)];
1345 } now;
1346
1347 if (0 == buflen || !buf) {
1348 pr_devel("DRBG: no output buffer provided\n");
1349 return -EINVAL;
1350 }
1351 if (addtl && NULL == addtl->buf && 0 < addtl->len) {
1352 pr_devel("DRBG: wrong format of additional information\n");
1353 return -EINVAL;
1354 }
1355
1356 len = drbg_make_shadow(drbg, &shadow);
1357 if (len) {
1358 pr_devel("DRBG: shadow copy cannot be generated\n");
1359 return len;
1360 }
1361
1362 /* 9.3.1 step 2 */
1363 len = -EINVAL;
1364 if (buflen > (drbg_max_request_bytes(shadow))) {
1365 pr_devel("DRBG: requested random numbers too large %u\n",
1366 buflen);
1367 goto err;
1368 }
1369
1370 /* 9.3.1 step 3 is implicit with the chosen DRBG */
1371
1372 /* 9.3.1 step 4 */
1373 if (addtl && addtl->len > (drbg_max_addtl(shadow))) {
1374 pr_devel("DRBG: additional information string too long %zu\n",
1375 addtl->len);
1376 goto err;
1377 }
1378 /* 9.3.1 step 5 is implicit with the chosen DRBG */
1379
1380 /*
1381 * 9.3.1 step 6 and 9 supplemented by 9.3.2 step c is implemented
1382 * here. The spec is a bit convoluted here, we make it simpler.
1383 */
1384 if ((drbg_max_requests(shadow)) < shadow->reseed_ctr)
1385 shadow->seeded = false;
1386
1387 /* allocate cipher handle */
1388 if (shadow->d_ops->crypto_init) {
1389 len = shadow->d_ops->crypto_init(shadow);
1390 if (len)
1391 goto err;
1392 }
1393
1394 if (shadow->pr || !shadow->seeded) {
1395 pr_devel("DRBG: reseeding before generation (prediction "
1396 "resistance: %s, state %s)\n",
1397 drbg->pr ? "true" : "false",
1398 drbg->seeded ? "seeded" : "unseeded");
1399 /* 9.3.1 steps 7.1 through 7.3 */
1400 len = drbg_seed(shadow, addtl, true);
1401 if (len)
1402 goto err;
1403 /* 9.3.1 step 7.4 */
1404 addtl = NULL;
1405 }
1406
1407 /*
1408 * Mix the time stamp into the DRBG state if the DRBG is not in
1409 * test mode. If there are two callers invoking the DRBG at the same
1410 * time, i.e. before the first caller merges its shadow state back,
1411 * both callers would obtain the same random number stream without
1412 * changing the state here.
1413 */
1414 if (!drbg->test_data) {
1415 now.cycles = random_get_entropy();
1416 drbg_string_fill(&timestamp, now.char_cycles, sizeof(cycles_t));
1417 list_add_tail(&timestamp.list, &addtllist);
1418 }
1419 if (addtl && 0 < addtl->len)
1420 list_add_tail(&addtl->list, &addtllist);
1421 /* 9.3.1 step 8 and 10 */
1422 len = shadow->d_ops->generate(shadow, buf, buflen, &addtllist);
1423
1424 /* 10.1.1.4 step 6, 10.1.2.5 step 7, 10.2.1.5.2 step 7 */
1425 shadow->reseed_ctr++;
1426 if (0 >= len)
1427 goto err;
1428
1429 /*
1430 * Section 11.3.3 requires to re-perform self tests after some
1431 * generated random numbers. The chosen value after which self
1432 * test is performed is arbitrary, but it should be reasonable.
1433 * However, we do not perform the self tests because of the following
1434 * reasons: it is mathematically impossible that the initial self tests
1435 * were successfully and the following are not. If the initial would
1436 * pass and the following would not, the kernel integrity is violated.
1437 * In this case, the entire kernel operation is questionable and it
1438 * is unlikely that the integrity violation only affects the
1439 * correct operation of the DRBG.
1440 *
1441 * Albeit the following code is commented out, it is provided in
1442 * case somebody has a need to implement the test of 11.3.3.
1443 */
1444#if 0
1445 if (shadow->reseed_ctr && !(shadow->reseed_ctr % 4096)) {
1446 int err = 0;
1447 pr_devel("DRBG: start to perform self test\n");
1448 if (drbg->core->flags & DRBG_HMAC)
1449 err = alg_test("drbg_pr_hmac_sha256",
1450 "drbg_pr_hmac_sha256", 0, 0);
1451 else if (drbg->core->flags & DRBG_CTR)
1452 err = alg_test("drbg_pr_ctr_aes128",
1453 "drbg_pr_ctr_aes128", 0, 0);
1454 else
1455 err = alg_test("drbg_pr_sha256",
1456 "drbg_pr_sha256", 0, 0);
1457 if (err) {
1458 pr_err("DRBG: periodical self test failed\n");
1459 /*
1460 * uninstantiate implies that from now on, only errors
1461 * are returned when reusing this DRBG cipher handle
1462 */
1463 drbg_uninstantiate(drbg);
1464 drbg_dealloc_state(shadow);
1465 kzfree(shadow);
1466 return 0;
1467 } else {
1468 pr_devel("DRBG: self test successful\n");
1469 }
1470 }
1471#endif
1472
1473err:
1474 if (shadow->d_ops->crypto_fini)
1475 shadow->d_ops->crypto_fini(shadow);
1476 drbg_restore_shadow(drbg, &shadow);
1477 return len;
1478}
1479
1480/*
1481 * Wrapper around drbg_generate which can pull arbitrary long strings
1482 * from the DRBG without hitting the maximum request limitation.
1483 *
1484 * Parameters: see drbg_generate
1485 * Return codes: see drbg_generate -- if one drbg_generate request fails,
1486 * the entire drbg_generate_long request fails
1487 */
1488static int drbg_generate_long(struct drbg_state *drbg,
1489 unsigned char *buf, unsigned int buflen,
1490 struct drbg_string *addtl)
1491{
1492 int len = 0;
1493 unsigned int slice = 0;
1494 do {
1495 int tmplen = 0;
1496 unsigned int chunk = 0;
1497 slice = ((buflen - len) / drbg_max_request_bytes(drbg));
1498 chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
1499 tmplen = drbg_generate(drbg, buf + len, chunk, addtl);
1500 if (0 >= tmplen)
1501 return tmplen;
1502 len += tmplen;
1503 } while (slice > 0 && (len < buflen));
1504 return len;
1505}
1506
1507/*
1508 * DRBG instantiation function as required by SP800-90A - this function
1509 * sets up the DRBG handle, performs the initial seeding and all sanity
1510 * checks required by SP800-90A
1511 *
1512 * @drbg memory of state -- if NULL, new memory is allocated
1513 * @pers Personalization string that is mixed into state, may be NULL -- note
1514 * the entropy is pulled by the DRBG internally unconditionally
1515 * as defined in SP800-90A. The additional input is mixed into
1516 * the state in addition to the pulled entropy.
1517 * @coreref reference to core
1518 * @pr prediction resistance enabled
1519 *
1520 * return
1521 * 0 on success
1522 * error value otherwise
1523 */
1524static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
1525 int coreref, bool pr)
1526{
1527 int ret = -ENOMEM;
1528
1529 pr_devel("DRBG: Initializing DRBG core %d with prediction resistance "
1530 "%s\n", coreref, pr ? "enabled" : "disabled");
1531 drbg->core = &drbg_cores[coreref];
1532 drbg->pr = pr;
1533 drbg->seeded = false;
1534 switch (drbg->core->flags & DRBG_TYPE_MASK) {
1535#ifdef CONFIG_CRYPTO_DRBG_HMAC
1536 case DRBG_HMAC:
1537 drbg->d_ops = &drbg_hmac_ops;
1538 break;
1539#endif /* CONFIG_CRYPTO_DRBG_HMAC */
1540#ifdef CONFIG_CRYPTO_DRBG_HASH
1541 case DRBG_HASH:
1542 drbg->d_ops = &drbg_hash_ops;
1543 break;
1544#endif /* CONFIG_CRYPTO_DRBG_HASH */
1545#ifdef CONFIG_CRYPTO_DRBG_CTR
1546 case DRBG_CTR:
1547 drbg->d_ops = &drbg_ctr_ops;
1548 break;
1549#endif /* CONFIG_CRYPTO_DRBG_CTR */
1550 default:
1551 return -EOPNOTSUPP;
1552 }
1553
1554 /* 9.1 step 1 is implicit with the selected DRBG type */
1555
1556 /*
1557 * 9.1 step 2 is implicit as caller can select prediction resistance
1558 * and the flag is copied into drbg->flags --
1559 * all DRBG types support prediction resistance
1560 */
1561
1562 /* 9.1 step 4 is implicit in drbg_sec_strength */
1563
1564 ret = drbg_alloc_state(drbg);
1565 if (ret)
1566 return ret;
1567
1568 ret = -EFAULT;
1569 if (drbg->d_ops->crypto_init && drbg->d_ops->crypto_init(drbg))
1570 goto err;
1571 ret = drbg_seed(drbg, pers, false);
1572 if (drbg->d_ops->crypto_fini)
1573 drbg->d_ops->crypto_fini(drbg);
1574 if (ret)
1575 goto err;
1576
1577 return 0;
1578
1579err:
1580 drbg_dealloc_state(drbg);
1581 return ret;
1582}
1583
1584/*
1585 * DRBG uninstantiate function as required by SP800-90A - this function
1586 * frees all buffers and the DRBG handle
1587 *
1588 * @drbg DRBG state handle
1589 *
1590 * return
1591 * 0 on success
1592 */
1593static int drbg_uninstantiate(struct drbg_state *drbg)
1594{
1595 spin_lock_bh(&drbg->drbg_lock);
1596 drbg_dealloc_state(drbg);
1597 /* no scrubbing of test_data -- this shall survive an uninstantiate */
1598 spin_unlock_bh(&drbg->drbg_lock);
1599 return 0;
1600}
1601
1602/*
1603 * Helper function for setting the test data in the DRBG
1604 *
1605 * @drbg DRBG state handle
1606 * @test_data test data to sets
1607 */
1608static inline void drbg_set_testdata(struct drbg_state *drbg,
1609 struct drbg_test_data *test_data)
1610{
1611 if (!test_data || !test_data->testentropy)
1612 return;
1613 spin_lock_bh(&drbg->drbg_lock);
1614 drbg->test_data = test_data;
1615 spin_unlock_bh(&drbg->drbg_lock);
1616}
1617
1618/***************************************************************
1619 * Kernel crypto API cipher invocations requested by DRBG
1620 ***************************************************************/
1621
1622#if defined(CONFIG_CRYPTO_DRBG_HASH) || defined(CONFIG_CRYPTO_DRBG_HMAC)
1623struct sdesc {
1624 struct shash_desc shash;
1625 char ctx[];
1626};
1627
1628static int drbg_init_hash_kernel(struct drbg_state *drbg)
1629{
1630 struct sdesc *sdesc;
1631 struct crypto_shash *tfm;
1632
1633 tfm = crypto_alloc_shash(drbg->core->backend_cra_name, 0, 0);
1634 if (IS_ERR(tfm)) {
1635 pr_info("DRBG: could not allocate digest TFM handle\n");
1636 return PTR_ERR(tfm);
1637 }
1638 BUG_ON(drbg_blocklen(drbg) != crypto_shash_digestsize(tfm));
1639 sdesc = kzalloc(sizeof(struct shash_desc) + crypto_shash_descsize(tfm),
1640 GFP_KERNEL);
1641 if (!sdesc) {
1642 crypto_free_shash(tfm);
1643 return -ENOMEM;
1644 }
1645
1646 sdesc->shash.tfm = tfm;
1647 sdesc->shash.flags = 0;
1648 drbg->priv_data = sdesc;
1649 return 0;
1650}
1651
1652static int drbg_fini_hash_kernel(struct drbg_state *drbg)
1653{
1654 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1655 if (sdesc) {
1656 crypto_free_shash(sdesc->shash.tfm);
1657 kzfree(sdesc);
1658 }
1659 drbg->priv_data = NULL;
1660 return 0;
1661}
1662
1663static int drbg_kcapi_hash(struct drbg_state *drbg, const unsigned char *key,
1664 unsigned char *outval, const struct list_head *in)
1665{
1666 struct sdesc *sdesc = (struct sdesc *)drbg->priv_data;
1667 struct drbg_string *input = NULL;
1668
1669 if (key)
1670 crypto_shash_setkey(sdesc->shash.tfm, key, drbg_statelen(drbg));
1671 crypto_shash_init(&sdesc->shash);
1672 list_for_each_entry(input, in, list)
1673 crypto_shash_update(&sdesc->shash, input->buf, input->len);
1674 return crypto_shash_final(&sdesc->shash, outval);
1675}
1676#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
1677
1678#ifdef CONFIG_CRYPTO_DRBG_CTR
1679static int drbg_init_sym_kernel(struct drbg_state *drbg)
1680{
1681 int ret = 0;
1682 struct crypto_blkcipher *tfm;
1683
1684 tfm = crypto_alloc_blkcipher(drbg->core->backend_cra_name, 0, 0);
1685 if (IS_ERR(tfm)) {
1686 pr_info("DRBG: could not allocate cipher TFM handle\n");
1687 return PTR_ERR(tfm);
1688 }
1689 BUG_ON(drbg_blocklen(drbg) != crypto_blkcipher_blocksize(tfm));
1690 drbg->priv_data = tfm;
1691 return ret;
1692}
1693
1694static int drbg_fini_sym_kernel(struct drbg_state *drbg)
1695{
1696 struct crypto_blkcipher *tfm =
1697 (struct crypto_blkcipher *)drbg->priv_data;
1698 if (tfm)
1699 crypto_free_blkcipher(tfm);
1700 drbg->priv_data = NULL;
1701 return 0;
1702}
1703
1704static int drbg_kcapi_sym(struct drbg_state *drbg, const unsigned char *key,
1705 unsigned char *outval, const struct drbg_string *in)
1706{
1707 int ret = 0;
1708 struct scatterlist sg_in, sg_out;
1709 struct blkcipher_desc desc;
1710 struct crypto_blkcipher *tfm =
1711 (struct crypto_blkcipher *)drbg->priv_data;
1712
1713 desc.tfm = tfm;
1714 desc.flags = 0;
1715 crypto_blkcipher_setkey(tfm, key, (drbg_keylen(drbg)));
1716 /* there is only component in *in */
1717 sg_init_one(&sg_in, in->buf, in->len);
1718 sg_init_one(&sg_out, outval, drbg_blocklen(drbg));
1719 ret = crypto_blkcipher_encrypt(&desc, &sg_out, &sg_in, in->len);
1720
1721 return ret;
1722}
1723#endif /* CONFIG_CRYPTO_DRBG_CTR */
1724
1725/***************************************************************
1726 * Kernel crypto API interface to register DRBG
1727 ***************************************************************/
1728
1729/*
1730 * Look up the DRBG flags by given kernel crypto API cra_name
1731 * The code uses the drbg_cores definition to do this
1732 *
1733 * @cra_name kernel crypto API cra_name
1734 * @coreref reference to integer which is filled with the pointer to
1735 * the applicable core
1736 * @pr reference for setting prediction resistance
1737 *
1738 * return: flags
1739 */
1740static inline void drbg_convert_tfm_core(const char *cra_driver_name,
1741 int *coreref, bool *pr)
1742{
1743 int i = 0;
1744 size_t start = 0;
1745 int len = 0;
1746
1747 *pr = true;
1748 /* disassemble the names */
1749 if (!memcmp(cra_driver_name, "drbg_nopr_", 10)) {
1750 start = 10;
1751 *pr = false;
1752 } else if (!memcmp(cra_driver_name, "drbg_pr_", 8)) {
1753 start = 8;
1754 } else {
1755 return;
1756 }
1757
1758 /* remove the first part */
1759 len = strlen(cra_driver_name) - start;
1760 for (i = 0; ARRAY_SIZE(drbg_cores) > i; i++) {
1761 if (!memcmp(cra_driver_name + start, drbg_cores[i].cra_name,
1762 len)) {
1763 *coreref = i;
1764 return;
1765 }
1766 }
1767}
1768
1769static int drbg_kcapi_init(struct crypto_tfm *tfm)
1770{
1771 struct drbg_state *drbg = crypto_tfm_ctx(tfm);
1772 bool pr = false;
1773 int coreref = 0;
1774
1775 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm), &coreref, &pr);
1776 /*
1777 * when personalization string is needed, the caller must call reset
1778 * and provide the personalization string as seed information
1779 */
1780 return drbg_instantiate(drbg, NULL, coreref, pr);
1781}
1782
1783static void drbg_kcapi_cleanup(struct crypto_tfm *tfm)
1784{
1785 drbg_uninstantiate(crypto_tfm_ctx(tfm));
1786}
1787
1788/*
1789 * Generate random numbers invoked by the kernel crypto API:
1790 * The API of the kernel crypto API is extended as follows:
1791 *
1792 * If dlen is larger than zero, rdata is interpreted as the output buffer
1793 * where random data is to be stored.
1794 *
1795 * If dlen is zero, rdata is interpreted as a pointer to a struct drbg_gen
1796 * which holds the additional information string that is used for the
1797 * DRBG generation process. The output buffer that is to be used to store
1798 * data is also pointed to by struct drbg_gen.
1799 */
1800static int drbg_kcapi_random(struct crypto_rng *tfm, u8 *rdata,
1801 unsigned int dlen)
1802{
1803 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1804 if (0 < dlen) {
1805 return drbg_generate_long(drbg, rdata, dlen, NULL);
1806 } else {
1807 struct drbg_gen *data = (struct drbg_gen *)rdata;
1808 struct drbg_string addtl;
1809 /* catch NULL pointer */
1810 if (!data)
1811 return 0;
1812 drbg_set_testdata(drbg, data->test_data);
1813 /* linked list variable is now local to allow modification */
1814 drbg_string_fill(&addtl, data->addtl->buf, data->addtl->len);
1815 return drbg_generate_long(drbg, data->outbuf, data->outlen,
1816 &addtl);
1817 }
1818}
1819
1820/*
1821 * Reset the DRBG invoked by the kernel crypto API
1822 * The reset implies a full re-initialization of the DRBG. Similar to the
1823 * generate function of drbg_kcapi_random, this function extends the
1824 * kernel crypto API interface with struct drbg_gen
1825 */
1826static int drbg_kcapi_reset(struct crypto_rng *tfm, u8 *seed, unsigned int slen)
1827{
1828 struct drbg_state *drbg = crypto_rng_ctx(tfm);
1829 struct crypto_tfm *tfm_base = crypto_rng_tfm(tfm);
1830 bool pr = false;
1831 struct drbg_string seed_string;
1832 int coreref = 0;
1833
1834 drbg_uninstantiate(drbg);
1835 drbg_convert_tfm_core(crypto_tfm_alg_driver_name(tfm_base), &coreref,
1836 &pr);
1837 if (0 < slen) {
1838 drbg_string_fill(&seed_string, seed, slen);
1839 return drbg_instantiate(drbg, &seed_string, coreref, pr);
1840 } else {
1841 struct drbg_gen *data = (struct drbg_gen *)seed;
1842 /* allow invocation of API call with NULL, 0 */
1843 if (!data)
1844 return drbg_instantiate(drbg, NULL, coreref, pr);
1845 drbg_set_testdata(drbg, data->test_data);
1846 /* linked list variable is now local to allow modification */
1847 drbg_string_fill(&seed_string, data->addtl->buf,
1848 data->addtl->len);
1849 return drbg_instantiate(drbg, &seed_string, coreref, pr);
1850 }
1851}
1852
1853/***************************************************************
1854 * Kernel module: code to load the module
1855 ***************************************************************/
1856
1857/*
1858 * Tests as defined in 11.3.2 in addition to the cipher tests: testing
1859 * of the error handling.
1860 *
1861 * Note: testing of failing seed source as defined in 11.3.2 is not applicable
1862 * as seed source of get_random_bytes does not fail.
1863 *
1864 * Note 2: There is no sensible way of testing the reseed counter
1865 * enforcement, so skip it.
1866 */
1867static inline int __init drbg_healthcheck_sanity(void)
1868{
1869#ifdef CONFIG_CRYPTO_FIPS
1870 int len = 0;
1871#define OUTBUFLEN 16
1872 unsigned char buf[OUTBUFLEN];
1873 struct drbg_state *drbg = NULL;
1874 int ret = -EFAULT;
1875 int rc = -EFAULT;
1876 bool pr = false;
1877 int coreref = 0;
1878 struct drbg_string addtl;
1879 size_t max_addtllen, max_request_bytes;
1880
1881 /* only perform test in FIPS mode */
1882 if (!fips_enabled)
1883 return 0;
1884
1885#ifdef CONFIG_CRYPTO_DRBG_CTR
1886 drbg_convert_tfm_core("drbg_nopr_ctr_aes128", &coreref, &pr);
1887#elif defined CONFIG_CRYPTO_DRBG_HASH
1888 drbg_convert_tfm_core("drbg_nopr_sha256", &coreref, &pr);
1889#else
1890 drbg_convert_tfm_core("drbg_nopr_hmac_sha256", &coreref, &pr);
1891#endif
1892
1893 drbg = kzalloc(sizeof(struct drbg_state), GFP_KERNEL);
1894 if (!drbg)
1895 return -ENOMEM;
1896
1897 /*
1898 * if the following tests fail, it is likely that there is a buffer
1899 * overflow as buf is much smaller than the requested or provided
1900 * string lengths -- in case the error handling does not succeed
1901 * we may get an OOPS. And we want to get an OOPS as this is a
1902 * grave bug.
1903 */
1904
1905 /* get a valid instance of DRBG for following tests */
1906 ret = drbg_instantiate(drbg, NULL, coreref, pr);
1907 if (ret) {
1908 rc = ret;
1909 goto outbuf;
1910 }
1911 max_addtllen = drbg_max_addtl(drbg);
1912 max_request_bytes = drbg_max_request_bytes(drbg);
1913 drbg_string_fill(&addtl, buf, max_addtllen + 1);
1914 /* overflow addtllen with additonal info string */
1915 len = drbg_generate(drbg, buf, OUTBUFLEN, &addtl);
1916 BUG_ON(0 < len);
1917 /* overflow max_bits */
1918 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1919 BUG_ON(0 < len);
1920 drbg_uninstantiate(drbg);
1921
1922 /* overflow max addtllen with personalization string */
1923 ret = drbg_instantiate(drbg, &addtl, coreref, pr);
1924 BUG_ON(0 == ret);
1925 /* test uninstantated DRBG */
1926 len = drbg_generate(drbg, buf, (max_request_bytes + 1), NULL);
1927 BUG_ON(0 < len);
1928 /* all tests passed */
1929 rc = 0;
1930
1931 pr_devel("DRBG: Sanity tests for failure code paths successfully "
1932 "completed\n");
1933
1934 drbg_uninstantiate(drbg);
1935outbuf:
1936 kzfree(drbg);
1937 return rc;
1938#else /* CONFIG_CRYPTO_FIPS */
1939 return 0;
1940#endif /* CONFIG_CRYPTO_FIPS */
1941}
1942
1943static struct crypto_alg drbg_algs[22];
1944
1945/*
1946 * Fill the array drbg_algs used to register the different DRBGs
1947 * with the kernel crypto API. To fill the array, the information
1948 * from drbg_cores[] is used.
1949 */
1950static inline void __init drbg_fill_array(struct crypto_alg *alg,
1951 const struct drbg_core *core, int pr)
1952{
1953 int pos = 0;
1954 static int priority = 100;
1955
1956 memset(alg, 0, sizeof(struct crypto_alg));
1957 memcpy(alg->cra_name, "stdrng", 6);
1958 if (pr) {
1959 memcpy(alg->cra_driver_name, "drbg_pr_", 8);
1960 pos = 8;
1961 } else {
1962 memcpy(alg->cra_driver_name, "drbg_nopr_", 10);
1963 pos = 10;
1964 }
1965 memcpy(alg->cra_driver_name + pos, core->cra_name,
1966 strlen(core->cra_name));
1967
1968 alg->cra_priority = priority;
1969 priority++;
1970 /*
1971 * If FIPS mode enabled, the selected DRBG shall have the
1972 * highest cra_priority over other stdrng instances to ensure
1973 * it is selected.
1974 */
1975 if (fips_enabled)
1976 alg->cra_priority += 200;
1977
1978 alg->cra_flags = CRYPTO_ALG_TYPE_RNG;
1979 alg->cra_ctxsize = sizeof(struct drbg_state);
1980 alg->cra_type = &crypto_rng_type;
1981 alg->cra_module = THIS_MODULE;
1982 alg->cra_init = drbg_kcapi_init;
1983 alg->cra_exit = drbg_kcapi_cleanup;
1984 alg->cra_u.rng.rng_make_random = drbg_kcapi_random;
1985 alg->cra_u.rng.rng_reset = drbg_kcapi_reset;
1986 alg->cra_u.rng.seedsize = 0;
1987}
1988
1989static int __init drbg_init(void)
1990{
1991 unsigned int i = 0; /* pointer to drbg_algs */
1992 unsigned int j = 0; /* pointer to drbg_cores */
1993 int ret = -EFAULT;
1994
1995 ret = drbg_healthcheck_sanity();
1996 if (ret)
1997 return ret;
1998
1999 if (ARRAY_SIZE(drbg_cores) * 2 > ARRAY_SIZE(drbg_algs)) {
2000 pr_info("DRBG: Cannot register all DRBG types"
2001 "(slots needed: %zu, slots available: %zu)\n",
2002 ARRAY_SIZE(drbg_cores) * 2, ARRAY_SIZE(drbg_algs));
2003 return ret;
2004 }
2005
2006 /*
2007 * each DRBG definition can be used with PR and without PR, thus
2008 * we instantiate each DRBG in drbg_cores[] twice.
2009 *
2010 * As the order of placing them into the drbg_algs array matters
2011 * (the later DRBGs receive a higher cra_priority) we register the
2012 * prediction resistance DRBGs first as the should not be too
2013 * interesting.
2014 */
2015 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2016 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 1);
2017 for (j = 0; ARRAY_SIZE(drbg_cores) > j; j++, i++)
2018 drbg_fill_array(&drbg_algs[i], &drbg_cores[j], 0);
2019 return crypto_register_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2020}
2021
2022static void __exit drbg_exit(void)
2023{
2024 crypto_unregister_algs(drbg_algs, (ARRAY_SIZE(drbg_cores) * 2));
2025}
2026
2027module_init(drbg_init);
2028module_exit(drbg_exit);
2029#ifndef CRYPTO_DRBG_HASH_STRING
2030#define CRYPTO_DRBG_HASH_STRING ""
2031#endif
2032#ifndef CRYPTO_DRBG_HMAC_STRING
2033#define CRYPTO_DRBG_HMAC_STRING ""
2034#endif
2035#ifndef CRYPTO_DRBG_CTR_STRING
2036#define CRYPTO_DRBG_CTR_STRING ""
2037#endif
2038MODULE_LICENSE("GPL");
2039MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
2040MODULE_DESCRIPTION("NIST SP800-90A Deterministic Random Bit Generator (DRBG) "
2041 "using following cores: "
2042 CRYPTO_DRBG_HASH_STRING
2043 CRYPTO_DRBG_HMAC_STRING
2044 CRYPTO_DRBG_CTR_STRING);
diff --git a/crypto/eseqiv.c b/crypto/eseqiv.c
index 42ce9f570aec..bf7ab4a89493 100644
--- a/crypto/eseqiv.c
+++ b/crypto/eseqiv.c
@@ -68,7 +68,7 @@ static int eseqiv_givencrypt(struct skcipher_givcrypt_request *req)
68 struct eseqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv); 68 struct eseqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
69 struct eseqiv_request_ctx *reqctx = skcipher_givcrypt_reqctx(req); 69 struct eseqiv_request_ctx *reqctx = skcipher_givcrypt_reqctx(req);
70 struct ablkcipher_request *subreq; 70 struct ablkcipher_request *subreq;
71 crypto_completion_t complete; 71 crypto_completion_t compl;
72 void *data; 72 void *data;
73 struct scatterlist *osrc, *odst; 73 struct scatterlist *osrc, *odst;
74 struct scatterlist *dst; 74 struct scatterlist *dst;
@@ -86,7 +86,7 @@ static int eseqiv_givencrypt(struct skcipher_givcrypt_request *req)
86 ablkcipher_request_set_tfm(subreq, skcipher_geniv_cipher(geniv)); 86 ablkcipher_request_set_tfm(subreq, skcipher_geniv_cipher(geniv));
87 87
88 giv = req->giv; 88 giv = req->giv;
89 complete = req->creq.base.complete; 89 compl = req->creq.base.complete;
90 data = req->creq.base.data; 90 data = req->creq.base.data;
91 91
92 osrc = req->creq.src; 92 osrc = req->creq.src;
@@ -101,11 +101,11 @@ static int eseqiv_givencrypt(struct skcipher_givcrypt_request *req)
101 if (vsrc != giv + ivsize && vdst != giv + ivsize) { 101 if (vsrc != giv + ivsize && vdst != giv + ivsize) {
102 giv = PTR_ALIGN((u8 *)reqctx->tail, 102 giv = PTR_ALIGN((u8 *)reqctx->tail,
103 crypto_ablkcipher_alignmask(geniv) + 1); 103 crypto_ablkcipher_alignmask(geniv) + 1);
104 complete = eseqiv_complete; 104 compl = eseqiv_complete;
105 data = req; 105 data = req;
106 } 106 }
107 107
108 ablkcipher_request_set_callback(subreq, req->creq.base.flags, complete, 108 ablkcipher_request_set_callback(subreq, req->creq.base.flags, compl,
109 data); 109 data);
110 110
111 sg_init_table(reqctx->src, 2); 111 sg_init_table(reqctx->src, 2);
diff --git a/crypto/gcm.c b/crypto/gcm.c
index b4f017939004..276cdac567b6 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -228,14 +228,14 @@ static void gcm_hash_final_done(struct crypto_async_request *areq, int err);
228 228
229static int gcm_hash_update(struct aead_request *req, 229static int gcm_hash_update(struct aead_request *req,
230 struct crypto_gcm_req_priv_ctx *pctx, 230 struct crypto_gcm_req_priv_ctx *pctx,
231 crypto_completion_t complete, 231 crypto_completion_t compl,
232 struct scatterlist *src, 232 struct scatterlist *src,
233 unsigned int len) 233 unsigned int len)
234{ 234{
235 struct ahash_request *ahreq = &pctx->u.ahreq; 235 struct ahash_request *ahreq = &pctx->u.ahreq;
236 236
237 ahash_request_set_callback(ahreq, aead_request_flags(req), 237 ahash_request_set_callback(ahreq, aead_request_flags(req),
238 complete, req); 238 compl, req);
239 ahash_request_set_crypt(ahreq, src, NULL, len); 239 ahash_request_set_crypt(ahreq, src, NULL, len);
240 240
241 return crypto_ahash_update(ahreq); 241 return crypto_ahash_update(ahreq);
@@ -244,12 +244,12 @@ static int gcm_hash_update(struct aead_request *req,
244static int gcm_hash_remain(struct aead_request *req, 244static int gcm_hash_remain(struct aead_request *req,
245 struct crypto_gcm_req_priv_ctx *pctx, 245 struct crypto_gcm_req_priv_ctx *pctx,
246 unsigned int remain, 246 unsigned int remain,
247 crypto_completion_t complete) 247 crypto_completion_t compl)
248{ 248{
249 struct ahash_request *ahreq = &pctx->u.ahreq; 249 struct ahash_request *ahreq = &pctx->u.ahreq;
250 250
251 ahash_request_set_callback(ahreq, aead_request_flags(req), 251 ahash_request_set_callback(ahreq, aead_request_flags(req),
252 complete, req); 252 compl, req);
253 sg_init_one(pctx->src, gcm_zeroes, remain); 253 sg_init_one(pctx->src, gcm_zeroes, remain);
254 ahash_request_set_crypt(ahreq, pctx->src, NULL, remain); 254 ahash_request_set_crypt(ahreq, pctx->src, NULL, remain);
255 255
@@ -375,14 +375,14 @@ static void __gcm_hash_assoc_remain_done(struct aead_request *req, int err)
375{ 375{
376 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 376 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
377 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 377 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
378 crypto_completion_t complete; 378 crypto_completion_t compl;
379 unsigned int remain = 0; 379 unsigned int remain = 0;
380 380
381 if (!err && gctx->cryptlen) { 381 if (!err && gctx->cryptlen) {
382 remain = gcm_remain(gctx->cryptlen); 382 remain = gcm_remain(gctx->cryptlen);
383 complete = remain ? gcm_hash_crypt_done : 383 compl = remain ? gcm_hash_crypt_done :
384 gcm_hash_crypt_remain_done; 384 gcm_hash_crypt_remain_done;
385 err = gcm_hash_update(req, pctx, complete, 385 err = gcm_hash_update(req, pctx, compl,
386 gctx->src, gctx->cryptlen); 386 gctx->src, gctx->cryptlen);
387 if (err == -EINPROGRESS || err == -EBUSY) 387 if (err == -EINPROGRESS || err == -EBUSY)
388 return; 388 return;
@@ -429,14 +429,14 @@ static void gcm_hash_assoc_done(struct crypto_async_request *areq, int err)
429static void __gcm_hash_init_done(struct aead_request *req, int err) 429static void __gcm_hash_init_done(struct aead_request *req, int err)
430{ 430{
431 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req); 431 struct crypto_gcm_req_priv_ctx *pctx = crypto_gcm_reqctx(req);
432 crypto_completion_t complete; 432 crypto_completion_t compl;
433 unsigned int remain = 0; 433 unsigned int remain = 0;
434 434
435 if (!err && req->assoclen) { 435 if (!err && req->assoclen) {
436 remain = gcm_remain(req->assoclen); 436 remain = gcm_remain(req->assoclen);
437 complete = remain ? gcm_hash_assoc_done : 437 compl = remain ? gcm_hash_assoc_done :
438 gcm_hash_assoc_remain_done; 438 gcm_hash_assoc_remain_done;
439 err = gcm_hash_update(req, pctx, complete, 439 err = gcm_hash_update(req, pctx, compl,
440 req->assoc, req->assoclen); 440 req->assoc, req->assoclen);
441 if (err == -EINPROGRESS || err == -EBUSY) 441 if (err == -EINPROGRESS || err == -EBUSY)
442 return; 442 return;
@@ -462,7 +462,7 @@ static int gcm_hash(struct aead_request *req,
462 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx; 462 struct crypto_gcm_ghash_ctx *gctx = &pctx->ghash_ctx;
463 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(req->base.tfm); 463 struct crypto_gcm_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
464 unsigned int remain; 464 unsigned int remain;
465 crypto_completion_t complete; 465 crypto_completion_t compl;
466 int err; 466 int err;
467 467
468 ahash_request_set_tfm(ahreq, ctx->ghash); 468 ahash_request_set_tfm(ahreq, ctx->ghash);
@@ -473,8 +473,8 @@ static int gcm_hash(struct aead_request *req,
473 if (err) 473 if (err)
474 return err; 474 return err;
475 remain = gcm_remain(req->assoclen); 475 remain = gcm_remain(req->assoclen);
476 complete = remain ? gcm_hash_assoc_done : gcm_hash_assoc_remain_done; 476 compl = remain ? gcm_hash_assoc_done : gcm_hash_assoc_remain_done;
477 err = gcm_hash_update(req, pctx, complete, req->assoc, req->assoclen); 477 err = gcm_hash_update(req, pctx, compl, req->assoc, req->assoclen);
478 if (err) 478 if (err)
479 return err; 479 return err;
480 if (remain) { 480 if (remain) {
@@ -484,8 +484,8 @@ static int gcm_hash(struct aead_request *req,
484 return err; 484 return err;
485 } 485 }
486 remain = gcm_remain(gctx->cryptlen); 486 remain = gcm_remain(gctx->cryptlen);
487 complete = remain ? gcm_hash_crypt_done : gcm_hash_crypt_remain_done; 487 compl = remain ? gcm_hash_crypt_done : gcm_hash_crypt_remain_done;
488 err = gcm_hash_update(req, pctx, complete, gctx->src, gctx->cryptlen); 488 err = gcm_hash_update(req, pctx, compl, gctx->src, gctx->cryptlen);
489 if (err) 489 if (err)
490 return err; 490 return err;
491 if (remain) { 491 if (remain) {
diff --git a/crypto/lzo.c b/crypto/lzo.c
index 1c2aa69c54b8..a8ff2f778dc4 100644
--- a/crypto/lzo.c
+++ b/crypto/lzo.c
@@ -20,6 +20,7 @@
20#include <linux/module.h> 20#include <linux/module.h>
21#include <linux/crypto.h> 21#include <linux/crypto.h>
22#include <linux/vmalloc.h> 22#include <linux/vmalloc.h>
23#include <linux/mm.h>
23#include <linux/lzo.h> 24#include <linux/lzo.h>
24 25
25struct lzo_ctx { 26struct lzo_ctx {
@@ -30,7 +31,10 @@ static int lzo_init(struct crypto_tfm *tfm)
30{ 31{
31 struct lzo_ctx *ctx = crypto_tfm_ctx(tfm); 32 struct lzo_ctx *ctx = crypto_tfm_ctx(tfm);
32 33
33 ctx->lzo_comp_mem = vmalloc(LZO1X_MEM_COMPRESS); 34 ctx->lzo_comp_mem = kmalloc(LZO1X_MEM_COMPRESS,
35 GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
36 if (!ctx->lzo_comp_mem)
37 ctx->lzo_comp_mem = vmalloc(LZO1X_MEM_COMPRESS);
34 if (!ctx->lzo_comp_mem) 38 if (!ctx->lzo_comp_mem)
35 return -ENOMEM; 39 return -ENOMEM;
36 40
@@ -41,7 +45,7 @@ static void lzo_exit(struct crypto_tfm *tfm)
41{ 45{
42 struct lzo_ctx *ctx = crypto_tfm_ctx(tfm); 46 struct lzo_ctx *ctx = crypto_tfm_ctx(tfm);
43 47
44 vfree(ctx->lzo_comp_mem); 48 kvfree(ctx->lzo_comp_mem);
45} 49}
46 50
47static int lzo_compress(struct crypto_tfm *tfm, const u8 *src, 51static int lzo_compress(struct crypto_tfm *tfm, const u8 *src,
diff --git a/crypto/seqiv.c b/crypto/seqiv.c
index f2cba4ed6f25..ee190fcedcd2 100644
--- a/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -100,7 +100,7 @@ static int seqiv_givencrypt(struct skcipher_givcrypt_request *req)
100 struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req); 100 struct crypto_ablkcipher *geniv = skcipher_givcrypt_reqtfm(req);
101 struct seqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv); 101 struct seqiv_ctx *ctx = crypto_ablkcipher_ctx(geniv);
102 struct ablkcipher_request *subreq = skcipher_givcrypt_reqctx(req); 102 struct ablkcipher_request *subreq = skcipher_givcrypt_reqctx(req);
103 crypto_completion_t complete; 103 crypto_completion_t compl;
104 void *data; 104 void *data;
105 u8 *info; 105 u8 *info;
106 unsigned int ivsize; 106 unsigned int ivsize;
@@ -108,7 +108,7 @@ static int seqiv_givencrypt(struct skcipher_givcrypt_request *req)
108 108
109 ablkcipher_request_set_tfm(subreq, skcipher_geniv_cipher(geniv)); 109 ablkcipher_request_set_tfm(subreq, skcipher_geniv_cipher(geniv));
110 110
111 complete = req->creq.base.complete; 111 compl = req->creq.base.complete;
112 data = req->creq.base.data; 112 data = req->creq.base.data;
113 info = req->creq.info; 113 info = req->creq.info;
114 114
@@ -122,11 +122,11 @@ static int seqiv_givencrypt(struct skcipher_givcrypt_request *req)
122 if (!info) 122 if (!info)
123 return -ENOMEM; 123 return -ENOMEM;
124 124
125 complete = seqiv_complete; 125 compl = seqiv_complete;
126 data = req; 126 data = req;
127 } 127 }
128 128
129 ablkcipher_request_set_callback(subreq, req->creq.base.flags, complete, 129 ablkcipher_request_set_callback(subreq, req->creq.base.flags, compl,
130 data); 130 data);
131 ablkcipher_request_set_crypt(subreq, req->creq.src, req->creq.dst, 131 ablkcipher_request_set_crypt(subreq, req->creq.src, req->creq.dst,
132 req->creq.nbytes, info); 132 req->creq.nbytes, info);
@@ -146,7 +146,7 @@ static int seqiv_aead_givencrypt(struct aead_givcrypt_request *req)
146 struct seqiv_ctx *ctx = crypto_aead_ctx(geniv); 146 struct seqiv_ctx *ctx = crypto_aead_ctx(geniv);
147 struct aead_request *areq = &req->areq; 147 struct aead_request *areq = &req->areq;
148 struct aead_request *subreq = aead_givcrypt_reqctx(req); 148 struct aead_request *subreq = aead_givcrypt_reqctx(req);
149 crypto_completion_t complete; 149 crypto_completion_t compl;
150 void *data; 150 void *data;
151 u8 *info; 151 u8 *info;
152 unsigned int ivsize; 152 unsigned int ivsize;
@@ -154,7 +154,7 @@ static int seqiv_aead_givencrypt(struct aead_givcrypt_request *req)
154 154
155 aead_request_set_tfm(subreq, aead_geniv_base(geniv)); 155 aead_request_set_tfm(subreq, aead_geniv_base(geniv));
156 156
157 complete = areq->base.complete; 157 compl = areq->base.complete;
158 data = areq->base.data; 158 data = areq->base.data;
159 info = areq->iv; 159 info = areq->iv;
160 160
@@ -168,11 +168,11 @@ static int seqiv_aead_givencrypt(struct aead_givcrypt_request *req)
168 if (!info) 168 if (!info)
169 return -ENOMEM; 169 return -ENOMEM;
170 170
171 complete = seqiv_aead_complete; 171 compl = seqiv_aead_complete;
172 data = req; 172 data = req;
173 } 173 }
174 174
175 aead_request_set_callback(subreq, areq->base.flags, complete, data); 175 aead_request_set_callback(subreq, areq->base.flags, compl, data);
176 aead_request_set_crypt(subreq, areq->src, areq->dst, areq->cryptlen, 176 aead_request_set_crypt(subreq, areq->src, areq->dst, areq->cryptlen,
177 info); 177 info);
178 aead_request_set_assoc(subreq, areq->assoc, areq->assoclen); 178 aead_request_set_assoc(subreq, areq->assoc, areq->assoclen);
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index ba247cf30858..890449e6e7ef 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -48,6 +48,11 @@
48#define DECRYPT 0 48#define DECRYPT 0
49 49
50/* 50/*
51 * return a string with the driver name
52 */
53#define get_driver_name(tfm_type, tfm) crypto_tfm_alg_driver_name(tfm_type ## _tfm(tfm))
54
55/*
51 * Used by test_cipher_speed() 56 * Used by test_cipher_speed()
52 */ 57 */
53static unsigned int sec; 58static unsigned int sec;
@@ -68,13 +73,13 @@ static char *check[] = {
68}; 73};
69 74
70static int test_cipher_jiffies(struct blkcipher_desc *desc, int enc, 75static int test_cipher_jiffies(struct blkcipher_desc *desc, int enc,
71 struct scatterlist *sg, int blen, int sec) 76 struct scatterlist *sg, int blen, int secs)
72{ 77{
73 unsigned long start, end; 78 unsigned long start, end;
74 int bcount; 79 int bcount;
75 int ret; 80 int ret;
76 81
77 for (start = jiffies, end = start + sec * HZ, bcount = 0; 82 for (start = jiffies, end = start + secs * HZ, bcount = 0;
78 time_before(jiffies, end); bcount++) { 83 time_before(jiffies, end); bcount++) {
79 if (enc) 84 if (enc)
80 ret = crypto_blkcipher_encrypt(desc, sg, sg, blen); 85 ret = crypto_blkcipher_encrypt(desc, sg, sg, blen);
@@ -86,7 +91,7 @@ static int test_cipher_jiffies(struct blkcipher_desc *desc, int enc,
86 } 91 }
87 92
88 printk("%d operations in %d seconds (%ld bytes)\n", 93 printk("%d operations in %d seconds (%ld bytes)\n",
89 bcount, sec, (long)bcount * blen); 94 bcount, secs, (long)bcount * blen);
90 return 0; 95 return 0;
91} 96}
92 97
@@ -138,13 +143,13 @@ out:
138} 143}
139 144
140static int test_aead_jiffies(struct aead_request *req, int enc, 145static int test_aead_jiffies(struct aead_request *req, int enc,
141 int blen, int sec) 146 int blen, int secs)
142{ 147{
143 unsigned long start, end; 148 unsigned long start, end;
144 int bcount; 149 int bcount;
145 int ret; 150 int ret;
146 151
147 for (start = jiffies, end = start + sec * HZ, bcount = 0; 152 for (start = jiffies, end = start + secs * HZ, bcount = 0;
148 time_before(jiffies, end); bcount++) { 153 time_before(jiffies, end); bcount++) {
149 if (enc) 154 if (enc)
150 ret = crypto_aead_encrypt(req); 155 ret = crypto_aead_encrypt(req);
@@ -156,7 +161,7 @@ static int test_aead_jiffies(struct aead_request *req, int enc,
156 } 161 }
157 162
158 printk("%d operations in %d seconds (%ld bytes)\n", 163 printk("%d operations in %d seconds (%ld bytes)\n",
159 bcount, sec, (long)bcount * blen); 164 bcount, secs, (long)bcount * blen);
160 return 0; 165 return 0;
161} 166}
162 167
@@ -260,7 +265,7 @@ static void sg_init_aead(struct scatterlist *sg, char *xbuf[XBUFSIZE],
260 } 265 }
261} 266}
262 267
263static void test_aead_speed(const char *algo, int enc, unsigned int sec, 268static void test_aead_speed(const char *algo, int enc, unsigned int secs,
264 struct aead_speed_template *template, 269 struct aead_speed_template *template,
265 unsigned int tcount, u8 authsize, 270 unsigned int tcount, u8 authsize,
266 unsigned int aad_size, u8 *keysize) 271 unsigned int aad_size, u8 *keysize)
@@ -305,9 +310,6 @@ static void test_aead_speed(const char *algo, int enc, unsigned int sec,
305 asg = &sg[8]; 310 asg = &sg[8];
306 sgout = &asg[8]; 311 sgout = &asg[8];
307 312
308
309 printk(KERN_INFO "\ntesting speed of %s %s\n", algo, e);
310
311 tfm = crypto_alloc_aead(algo, 0, 0); 313 tfm = crypto_alloc_aead(algo, 0, 0);
312 314
313 if (IS_ERR(tfm)) { 315 if (IS_ERR(tfm)) {
@@ -316,6 +318,9 @@ static void test_aead_speed(const char *algo, int enc, unsigned int sec,
316 goto out_notfm; 318 goto out_notfm;
317 } 319 }
318 320
321 printk(KERN_INFO "\ntesting speed of %s (%s) %s\n", algo,
322 get_driver_name(crypto_aead, tfm), e);
323
319 req = aead_request_alloc(tfm, GFP_KERNEL); 324 req = aead_request_alloc(tfm, GFP_KERNEL);
320 if (!req) { 325 if (!req) {
321 pr_err("alg: aead: Failed to allocate request for %s\n", 326 pr_err("alg: aead: Failed to allocate request for %s\n",
@@ -374,8 +379,9 @@ static void test_aead_speed(const char *algo, int enc, unsigned int sec,
374 aead_request_set_crypt(req, sg, sgout, *b_size, iv); 379 aead_request_set_crypt(req, sg, sgout, *b_size, iv);
375 aead_request_set_assoc(req, asg, aad_size); 380 aead_request_set_assoc(req, asg, aad_size);
376 381
377 if (sec) 382 if (secs)
378 ret = test_aead_jiffies(req, enc, *b_size, sec); 383 ret = test_aead_jiffies(req, enc, *b_size,
384 secs);
379 else 385 else
380 ret = test_aead_cycles(req, enc, *b_size); 386 ret = test_aead_cycles(req, enc, *b_size);
381 387
@@ -405,7 +411,7 @@ out_noxbuf:
405 return; 411 return;
406} 412}
407 413
408static void test_cipher_speed(const char *algo, int enc, unsigned int sec, 414static void test_cipher_speed(const char *algo, int enc, unsigned int secs,
409 struct cipher_speed_template *template, 415 struct cipher_speed_template *template,
410 unsigned int tcount, u8 *keysize) 416 unsigned int tcount, u8 *keysize)
411{ 417{
@@ -422,8 +428,6 @@ static void test_cipher_speed(const char *algo, int enc, unsigned int sec,
422 else 428 else
423 e = "decryption"; 429 e = "decryption";
424 430
425 printk("\ntesting speed of %s %s\n", algo, e);
426
427 tfm = crypto_alloc_blkcipher(algo, 0, CRYPTO_ALG_ASYNC); 431 tfm = crypto_alloc_blkcipher(algo, 0, CRYPTO_ALG_ASYNC);
428 432
429 if (IS_ERR(tfm)) { 433 if (IS_ERR(tfm)) {
@@ -434,6 +438,9 @@ static void test_cipher_speed(const char *algo, int enc, unsigned int sec,
434 desc.tfm = tfm; 438 desc.tfm = tfm;
435 desc.flags = 0; 439 desc.flags = 0;
436 440
441 printk(KERN_INFO "\ntesting speed of %s (%s) %s\n", algo,
442 get_driver_name(crypto_blkcipher, tfm), e);
443
437 i = 0; 444 i = 0;
438 do { 445 do {
439 446
@@ -483,9 +490,9 @@ static void test_cipher_speed(const char *algo, int enc, unsigned int sec,
483 crypto_blkcipher_set_iv(tfm, iv, iv_len); 490 crypto_blkcipher_set_iv(tfm, iv, iv_len);
484 } 491 }
485 492
486 if (sec) 493 if (secs)
487 ret = test_cipher_jiffies(&desc, enc, sg, 494 ret = test_cipher_jiffies(&desc, enc, sg,
488 *b_size, sec); 495 *b_size, secs);
489 else 496 else
490 ret = test_cipher_cycles(&desc, enc, sg, 497 ret = test_cipher_cycles(&desc, enc, sg,
491 *b_size); 498 *b_size);
@@ -506,13 +513,13 @@ out:
506 513
507static int test_hash_jiffies_digest(struct hash_desc *desc, 514static int test_hash_jiffies_digest(struct hash_desc *desc,
508 struct scatterlist *sg, int blen, 515 struct scatterlist *sg, int blen,
509 char *out, int sec) 516 char *out, int secs)
510{ 517{
511 unsigned long start, end; 518 unsigned long start, end;
512 int bcount; 519 int bcount;
513 int ret; 520 int ret;
514 521
515 for (start = jiffies, end = start + sec * HZ, bcount = 0; 522 for (start = jiffies, end = start + secs * HZ, bcount = 0;
516 time_before(jiffies, end); bcount++) { 523 time_before(jiffies, end); bcount++) {
517 ret = crypto_hash_digest(desc, sg, blen, out); 524 ret = crypto_hash_digest(desc, sg, blen, out);
518 if (ret) 525 if (ret)
@@ -520,22 +527,22 @@ static int test_hash_jiffies_digest(struct hash_desc *desc,
520 } 527 }
521 528
522 printk("%6u opers/sec, %9lu bytes/sec\n", 529 printk("%6u opers/sec, %9lu bytes/sec\n",
523 bcount / sec, ((long)bcount * blen) / sec); 530 bcount / secs, ((long)bcount * blen) / secs);
524 531
525 return 0; 532 return 0;
526} 533}
527 534
528static int test_hash_jiffies(struct hash_desc *desc, struct scatterlist *sg, 535static int test_hash_jiffies(struct hash_desc *desc, struct scatterlist *sg,
529 int blen, int plen, char *out, int sec) 536 int blen, int plen, char *out, int secs)
530{ 537{
531 unsigned long start, end; 538 unsigned long start, end;
532 int bcount, pcount; 539 int bcount, pcount;
533 int ret; 540 int ret;
534 541
535 if (plen == blen) 542 if (plen == blen)
536 return test_hash_jiffies_digest(desc, sg, blen, out, sec); 543 return test_hash_jiffies_digest(desc, sg, blen, out, secs);
537 544
538 for (start = jiffies, end = start + sec * HZ, bcount = 0; 545 for (start = jiffies, end = start + secs * HZ, bcount = 0;
539 time_before(jiffies, end); bcount++) { 546 time_before(jiffies, end); bcount++) {
540 ret = crypto_hash_init(desc); 547 ret = crypto_hash_init(desc);
541 if (ret) 548 if (ret)
@@ -552,7 +559,7 @@ static int test_hash_jiffies(struct hash_desc *desc, struct scatterlist *sg,
552 } 559 }
553 560
554 printk("%6u opers/sec, %9lu bytes/sec\n", 561 printk("%6u opers/sec, %9lu bytes/sec\n",
555 bcount / sec, ((long)bcount * blen) / sec); 562 bcount / secs, ((long)bcount * blen) / secs);
556 563
557 return 0; 564 return 0;
558} 565}
@@ -673,7 +680,7 @@ static void test_hash_sg_init(struct scatterlist *sg)
673 } 680 }
674} 681}
675 682
676static void test_hash_speed(const char *algo, unsigned int sec, 683static void test_hash_speed(const char *algo, unsigned int secs,
677 struct hash_speed *speed) 684 struct hash_speed *speed)
678{ 685{
679 struct scatterlist sg[TVMEMSIZE]; 686 struct scatterlist sg[TVMEMSIZE];
@@ -683,8 +690,6 @@ static void test_hash_speed(const char *algo, unsigned int sec,
683 int i; 690 int i;
684 int ret; 691 int ret;
685 692
686 printk(KERN_INFO "\ntesting speed of %s\n", algo);
687
688 tfm = crypto_alloc_hash(algo, 0, CRYPTO_ALG_ASYNC); 693 tfm = crypto_alloc_hash(algo, 0, CRYPTO_ALG_ASYNC);
689 694
690 if (IS_ERR(tfm)) { 695 if (IS_ERR(tfm)) {
@@ -693,6 +698,9 @@ static void test_hash_speed(const char *algo, unsigned int sec,
693 return; 698 return;
694 } 699 }
695 700
701 printk(KERN_INFO "\ntesting speed of %s (%s)\n", algo,
702 get_driver_name(crypto_hash, tfm));
703
696 desc.tfm = tfm; 704 desc.tfm = tfm;
697 desc.flags = 0; 705 desc.flags = 0;
698 706
@@ -718,9 +726,9 @@ static void test_hash_speed(const char *algo, unsigned int sec,
718 "(%5u byte blocks,%5u bytes per update,%4u updates): ", 726 "(%5u byte blocks,%5u bytes per update,%4u updates): ",
719 i, speed[i].blen, speed[i].plen, speed[i].blen / speed[i].plen); 727 i, speed[i].blen, speed[i].plen, speed[i].blen / speed[i].plen);
720 728
721 if (sec) 729 if (secs)
722 ret = test_hash_jiffies(&desc, sg, speed[i].blen, 730 ret = test_hash_jiffies(&desc, sg, speed[i].blen,
723 speed[i].plen, output, sec); 731 speed[i].plen, output, secs);
724 else 732 else
725 ret = test_hash_cycles(&desc, sg, speed[i].blen, 733 ret = test_hash_cycles(&desc, sg, speed[i].blen,
726 speed[i].plen, output); 734 speed[i].plen, output);
@@ -765,13 +773,13 @@ static inline int do_one_ahash_op(struct ahash_request *req, int ret)
765} 773}
766 774
767static int test_ahash_jiffies_digest(struct ahash_request *req, int blen, 775static int test_ahash_jiffies_digest(struct ahash_request *req, int blen,
768 char *out, int sec) 776 char *out, int secs)
769{ 777{
770 unsigned long start, end; 778 unsigned long start, end;
771 int bcount; 779 int bcount;
772 int ret; 780 int ret;
773 781
774 for (start = jiffies, end = start + sec * HZ, bcount = 0; 782 for (start = jiffies, end = start + secs * HZ, bcount = 0;
775 time_before(jiffies, end); bcount++) { 783 time_before(jiffies, end); bcount++) {
776 ret = do_one_ahash_op(req, crypto_ahash_digest(req)); 784 ret = do_one_ahash_op(req, crypto_ahash_digest(req));
777 if (ret) 785 if (ret)
@@ -779,22 +787,22 @@ static int test_ahash_jiffies_digest(struct ahash_request *req, int blen,
779 } 787 }
780 788
781 printk("%6u opers/sec, %9lu bytes/sec\n", 789 printk("%6u opers/sec, %9lu bytes/sec\n",
782 bcount / sec, ((long)bcount * blen) / sec); 790 bcount / secs, ((long)bcount * blen) / secs);
783 791
784 return 0; 792 return 0;
785} 793}
786 794
787static int test_ahash_jiffies(struct ahash_request *req, int blen, 795static int test_ahash_jiffies(struct ahash_request *req, int blen,
788 int plen, char *out, int sec) 796 int plen, char *out, int secs)
789{ 797{
790 unsigned long start, end; 798 unsigned long start, end;
791 int bcount, pcount; 799 int bcount, pcount;
792 int ret; 800 int ret;
793 801
794 if (plen == blen) 802 if (plen == blen)
795 return test_ahash_jiffies_digest(req, blen, out, sec); 803 return test_ahash_jiffies_digest(req, blen, out, secs);
796 804
797 for (start = jiffies, end = start + sec * HZ, bcount = 0; 805 for (start = jiffies, end = start + secs * HZ, bcount = 0;
798 time_before(jiffies, end); bcount++) { 806 time_before(jiffies, end); bcount++) {
799 ret = crypto_ahash_init(req); 807 ret = crypto_ahash_init(req);
800 if (ret) 808 if (ret)
@@ -811,7 +819,7 @@ static int test_ahash_jiffies(struct ahash_request *req, int blen,
811 } 819 }
812 820
813 pr_cont("%6u opers/sec, %9lu bytes/sec\n", 821 pr_cont("%6u opers/sec, %9lu bytes/sec\n",
814 bcount / sec, ((long)bcount * blen) / sec); 822 bcount / secs, ((long)bcount * blen) / secs);
815 823
816 return 0; 824 return 0;
817} 825}
@@ -911,7 +919,7 @@ out:
911 return 0; 919 return 0;
912} 920}
913 921
914static void test_ahash_speed(const char *algo, unsigned int sec, 922static void test_ahash_speed(const char *algo, unsigned int secs,
915 struct hash_speed *speed) 923 struct hash_speed *speed)
916{ 924{
917 struct scatterlist sg[TVMEMSIZE]; 925 struct scatterlist sg[TVMEMSIZE];
@@ -921,8 +929,6 @@ static void test_ahash_speed(const char *algo, unsigned int sec,
921 static char output[1024]; 929 static char output[1024];
922 int i, ret; 930 int i, ret;
923 931
924 printk(KERN_INFO "\ntesting speed of async %s\n", algo);
925
926 tfm = crypto_alloc_ahash(algo, 0, 0); 932 tfm = crypto_alloc_ahash(algo, 0, 0);
927 if (IS_ERR(tfm)) { 933 if (IS_ERR(tfm)) {
928 pr_err("failed to load transform for %s: %ld\n", 934 pr_err("failed to load transform for %s: %ld\n",
@@ -930,6 +936,9 @@ static void test_ahash_speed(const char *algo, unsigned int sec,
930 return; 936 return;
931 } 937 }
932 938
939 printk(KERN_INFO "\ntesting speed of async %s (%s)\n", algo,
940 get_driver_name(crypto_ahash, tfm));
941
933 if (crypto_ahash_digestsize(tfm) > sizeof(output)) { 942 if (crypto_ahash_digestsize(tfm) > sizeof(output)) {
934 pr_err("digestsize(%u) > outputbuffer(%zu)\n", 943 pr_err("digestsize(%u) > outputbuffer(%zu)\n",
935 crypto_ahash_digestsize(tfm), sizeof(output)); 944 crypto_ahash_digestsize(tfm), sizeof(output));
@@ -960,9 +969,9 @@ static void test_ahash_speed(const char *algo, unsigned int sec,
960 969
961 ahash_request_set_crypt(req, sg, output, speed[i].plen); 970 ahash_request_set_crypt(req, sg, output, speed[i].plen);
962 971
963 if (sec) 972 if (secs)
964 ret = test_ahash_jiffies(req, speed[i].blen, 973 ret = test_ahash_jiffies(req, speed[i].blen,
965 speed[i].plen, output, sec); 974 speed[i].plen, output, secs);
966 else 975 else
967 ret = test_ahash_cycles(req, speed[i].blen, 976 ret = test_ahash_cycles(req, speed[i].blen,
968 speed[i].plen, output); 977 speed[i].plen, output);
@@ -994,13 +1003,13 @@ static inline int do_one_acipher_op(struct ablkcipher_request *req, int ret)
994} 1003}
995 1004
996static int test_acipher_jiffies(struct ablkcipher_request *req, int enc, 1005static int test_acipher_jiffies(struct ablkcipher_request *req, int enc,
997 int blen, int sec) 1006 int blen, int secs)
998{ 1007{
999 unsigned long start, end; 1008 unsigned long start, end;
1000 int bcount; 1009 int bcount;
1001 int ret; 1010 int ret;
1002 1011
1003 for (start = jiffies, end = start + sec * HZ, bcount = 0; 1012 for (start = jiffies, end = start + secs * HZ, bcount = 0;
1004 time_before(jiffies, end); bcount++) { 1013 time_before(jiffies, end); bcount++) {
1005 if (enc) 1014 if (enc)
1006 ret = do_one_acipher_op(req, 1015 ret = do_one_acipher_op(req,
@@ -1014,7 +1023,7 @@ static int test_acipher_jiffies(struct ablkcipher_request *req, int enc,
1014 } 1023 }
1015 1024
1016 pr_cont("%d operations in %d seconds (%ld bytes)\n", 1025 pr_cont("%d operations in %d seconds (%ld bytes)\n",
1017 bcount, sec, (long)bcount * blen); 1026 bcount, secs, (long)bcount * blen);
1018 return 0; 1027 return 0;
1019} 1028}
1020 1029
@@ -1065,7 +1074,7 @@ out:
1065 return ret; 1074 return ret;
1066} 1075}
1067 1076
1068static void test_acipher_speed(const char *algo, int enc, unsigned int sec, 1077static void test_acipher_speed(const char *algo, int enc, unsigned int secs,
1069 struct cipher_speed_template *template, 1078 struct cipher_speed_template *template,
1070 unsigned int tcount, u8 *keysize) 1079 unsigned int tcount, u8 *keysize)
1071{ 1080{
@@ -1083,8 +1092,6 @@ static void test_acipher_speed(const char *algo, int enc, unsigned int sec,
1083 else 1092 else
1084 e = "decryption"; 1093 e = "decryption";
1085 1094
1086 pr_info("\ntesting speed of async %s %s\n", algo, e);
1087
1088 init_completion(&tresult.completion); 1095 init_completion(&tresult.completion);
1089 1096
1090 tfm = crypto_alloc_ablkcipher(algo, 0, 0); 1097 tfm = crypto_alloc_ablkcipher(algo, 0, 0);
@@ -1095,6 +1102,9 @@ static void test_acipher_speed(const char *algo, int enc, unsigned int sec,
1095 return; 1102 return;
1096 } 1103 }
1097 1104
1105 pr_info("\ntesting speed of async %s (%s) %s\n", algo,
1106 get_driver_name(crypto_ablkcipher, tfm), e);
1107
1098 req = ablkcipher_request_alloc(tfm, GFP_KERNEL); 1108 req = ablkcipher_request_alloc(tfm, GFP_KERNEL);
1099 if (!req) { 1109 if (!req) {
1100 pr_err("tcrypt: skcipher: Failed to allocate request for %s\n", 1110 pr_err("tcrypt: skcipher: Failed to allocate request for %s\n",
@@ -1168,9 +1178,9 @@ static void test_acipher_speed(const char *algo, int enc, unsigned int sec,
1168 1178
1169 ablkcipher_request_set_crypt(req, sg, sg, *b_size, iv); 1179 ablkcipher_request_set_crypt(req, sg, sg, *b_size, iv);
1170 1180
1171 if (sec) 1181 if (secs)
1172 ret = test_acipher_jiffies(req, enc, 1182 ret = test_acipher_jiffies(req, enc,
1173 *b_size, sec); 1183 *b_size, secs);
1174 else 1184 else
1175 ret = test_acipher_cycles(req, enc, 1185 ret = test_acipher_cycles(req, enc,
1176 *b_size); 1186 *b_size);
@@ -1585,6 +1595,12 @@ static int do_test(int m)
1585 test_cipher_speed("cbc(des3_ede)", DECRYPT, sec, 1595 test_cipher_speed("cbc(des3_ede)", DECRYPT, sec,
1586 des3_speed_template, DES3_SPEED_VECTORS, 1596 des3_speed_template, DES3_SPEED_VECTORS,
1587 speed_template_24); 1597 speed_template_24);
1598 test_cipher_speed("ctr(des3_ede)", ENCRYPT, sec,
1599 des3_speed_template, DES3_SPEED_VECTORS,
1600 speed_template_24);
1601 test_cipher_speed("ctr(des3_ede)", DECRYPT, sec,
1602 des3_speed_template, DES3_SPEED_VECTORS,
1603 speed_template_24);
1588 break; 1604 break;
1589 1605
1590 case 202: 1606 case 202:
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 498649ac1953..ac2b63105afc 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -27,6 +27,7 @@
27#include <linux/slab.h> 27#include <linux/slab.h>
28#include <linux/string.h> 28#include <linux/string.h>
29#include <crypto/rng.h> 29#include <crypto/rng.h>
30#include <crypto/drbg.h>
30 31
31#include "internal.h" 32#include "internal.h"
32 33
@@ -108,6 +109,11 @@ struct cprng_test_suite {
108 unsigned int count; 109 unsigned int count;
109}; 110};
110 111
112struct drbg_test_suite {
113 struct drbg_testvec *vecs;
114 unsigned int count;
115};
116
111struct alg_test_desc { 117struct alg_test_desc {
112 const char *alg; 118 const char *alg;
113 int (*test)(const struct alg_test_desc *desc, const char *driver, 119 int (*test)(const struct alg_test_desc *desc, const char *driver,
@@ -121,6 +127,7 @@ struct alg_test_desc {
121 struct pcomp_test_suite pcomp; 127 struct pcomp_test_suite pcomp;
122 struct hash_test_suite hash; 128 struct hash_test_suite hash;
123 struct cprng_test_suite cprng; 129 struct cprng_test_suite cprng;
130 struct drbg_test_suite drbg;
124 } suite; 131 } suite;
125}; 132};
126 133
@@ -191,13 +198,20 @@ static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
191 const char *algo = crypto_tfm_alg_driver_name(crypto_ahash_tfm(tfm)); 198 const char *algo = crypto_tfm_alg_driver_name(crypto_ahash_tfm(tfm));
192 unsigned int i, j, k, temp; 199 unsigned int i, j, k, temp;
193 struct scatterlist sg[8]; 200 struct scatterlist sg[8];
194 char result[64]; 201 char *result;
202 char *key;
195 struct ahash_request *req; 203 struct ahash_request *req;
196 struct tcrypt_result tresult; 204 struct tcrypt_result tresult;
197 void *hash_buff; 205 void *hash_buff;
198 char *xbuf[XBUFSIZE]; 206 char *xbuf[XBUFSIZE];
199 int ret = -ENOMEM; 207 int ret = -ENOMEM;
200 208
209 result = kmalloc(MAX_DIGEST_SIZE, GFP_KERNEL);
210 if (!result)
211 return ret;
212 key = kmalloc(MAX_KEYLEN, GFP_KERNEL);
213 if (!key)
214 goto out_nobuf;
201 if (testmgr_alloc_buf(xbuf)) 215 if (testmgr_alloc_buf(xbuf))
202 goto out_nobuf; 216 goto out_nobuf;
203 217
@@ -222,7 +236,7 @@ static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
222 goto out; 236 goto out;
223 237
224 j++; 238 j++;
225 memset(result, 0, 64); 239 memset(result, 0, MAX_DIGEST_SIZE);
226 240
227 hash_buff = xbuf[0]; 241 hash_buff = xbuf[0];
228 hash_buff += align_offset; 242 hash_buff += align_offset;
@@ -232,8 +246,14 @@ static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
232 246
233 if (template[i].ksize) { 247 if (template[i].ksize) {
234 crypto_ahash_clear_flags(tfm, ~0); 248 crypto_ahash_clear_flags(tfm, ~0);
235 ret = crypto_ahash_setkey(tfm, template[i].key, 249 if (template[i].ksize > MAX_KEYLEN) {
236 template[i].ksize); 250 pr_err("alg: hash: setkey failed on test %d for %s: key size %d > %d\n",
251 j, algo, template[i].ksize, MAX_KEYLEN);
252 ret = -EINVAL;
253 goto out;
254 }
255 memcpy(key, template[i].key, template[i].ksize);
256 ret = crypto_ahash_setkey(tfm, key, template[i].ksize);
237 if (ret) { 257 if (ret) {
238 printk(KERN_ERR "alg: hash: setkey failed on " 258 printk(KERN_ERR "alg: hash: setkey failed on "
239 "test %d for %s: ret=%d\n", j, algo, 259 "test %d for %s: ret=%d\n", j, algo,
@@ -293,7 +313,7 @@ static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
293 313
294 if (template[i].np) { 314 if (template[i].np) {
295 j++; 315 j++;
296 memset(result, 0, 64); 316 memset(result, 0, MAX_DIGEST_SIZE);
297 317
298 temp = 0; 318 temp = 0;
299 sg_init_table(sg, template[i].np); 319 sg_init_table(sg, template[i].np);
@@ -312,8 +332,16 @@ static int __test_hash(struct crypto_ahash *tfm, struct hash_testvec *template,
312 } 332 }
313 333
314 if (template[i].ksize) { 334 if (template[i].ksize) {
335 if (template[i].ksize > MAX_KEYLEN) {
336 pr_err("alg: hash: setkey failed on test %d for %s: key size %d > %d\n",
337 j, algo, template[i].ksize,
338 MAX_KEYLEN);
339 ret = -EINVAL;
340 goto out;
341 }
315 crypto_ahash_clear_flags(tfm, ~0); 342 crypto_ahash_clear_flags(tfm, ~0);
316 ret = crypto_ahash_setkey(tfm, template[i].key, 343 memcpy(key, template[i].key, template[i].ksize);
344 ret = crypto_ahash_setkey(tfm, key,
317 template[i].ksize); 345 template[i].ksize);
318 346
319 if (ret) { 347 if (ret) {
@@ -365,6 +393,8 @@ out:
365out_noreq: 393out_noreq:
366 testmgr_free_buf(xbuf); 394 testmgr_free_buf(xbuf);
367out_nobuf: 395out_nobuf:
396 kfree(key);
397 kfree(result);
368 return ret; 398 return ret;
369} 399}
370 400
@@ -422,6 +452,9 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
422 iv = kzalloc(MAX_IVLEN, GFP_KERNEL); 452 iv = kzalloc(MAX_IVLEN, GFP_KERNEL);
423 if (!iv) 453 if (!iv)
424 return ret; 454 return ret;
455 key = kmalloc(MAX_KEYLEN, GFP_KERNEL);
456 if (!key)
457 goto out_noxbuf;
425 if (testmgr_alloc_buf(xbuf)) 458 if (testmgr_alloc_buf(xbuf))
426 goto out_noxbuf; 459 goto out_noxbuf;
427 if (testmgr_alloc_buf(axbuf)) 460 if (testmgr_alloc_buf(axbuf))
@@ -486,7 +519,14 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
486 crypto_aead_set_flags( 519 crypto_aead_set_flags(
487 tfm, CRYPTO_TFM_REQ_WEAK_KEY); 520 tfm, CRYPTO_TFM_REQ_WEAK_KEY);
488 521
489 key = template[i].key; 522 if (template[i].klen > MAX_KEYLEN) {
523 pr_err("alg: aead%s: setkey failed on test %d for %s: key size %d > %d\n",
524 d, j, algo, template[i].klen,
525 MAX_KEYLEN);
526 ret = -EINVAL;
527 goto out;
528 }
529 memcpy(key, template[i].key, template[i].klen);
490 530
491 ret = crypto_aead_setkey(tfm, key, 531 ret = crypto_aead_setkey(tfm, key,
492 template[i].klen); 532 template[i].klen);
@@ -587,7 +627,14 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
587 if (template[i].wk) 627 if (template[i].wk)
588 crypto_aead_set_flags( 628 crypto_aead_set_flags(
589 tfm, CRYPTO_TFM_REQ_WEAK_KEY); 629 tfm, CRYPTO_TFM_REQ_WEAK_KEY);
590 key = template[i].key; 630 if (template[i].klen > MAX_KEYLEN) {
631 pr_err("alg: aead%s: setkey failed on test %d for %s: key size %d > %d\n",
632 d, j, algo, template[i].klen,
633 MAX_KEYLEN);
634 ret = -EINVAL;
635 goto out;
636 }
637 memcpy(key, template[i].key, template[i].klen);
591 638
592 ret = crypto_aead_setkey(tfm, key, template[i].klen); 639 ret = crypto_aead_setkey(tfm, key, template[i].klen);
593 if (!ret == template[i].fail) { 640 if (!ret == template[i].fail) {
@@ -769,6 +816,7 @@ out_nooutbuf:
769out_noaxbuf: 816out_noaxbuf:
770 testmgr_free_buf(xbuf); 817 testmgr_free_buf(xbuf);
771out_noxbuf: 818out_noxbuf:
819 kfree(key);
772 kfree(iv); 820 kfree(iv);
773 return ret; 821 return ret;
774} 822}
@@ -1715,6 +1763,100 @@ static int alg_test_cprng(const struct alg_test_desc *desc, const char *driver,
1715 return err; 1763 return err;
1716} 1764}
1717 1765
1766
1767static int drbg_cavs_test(struct drbg_testvec *test, int pr,
1768 const char *driver, u32 type, u32 mask)
1769{
1770 int ret = -EAGAIN;
1771 struct crypto_rng *drng;
1772 struct drbg_test_data test_data;
1773 struct drbg_string addtl, pers, testentropy;
1774 unsigned char *buf = kzalloc(test->expectedlen, GFP_KERNEL);
1775
1776 if (!buf)
1777 return -ENOMEM;
1778
1779 drng = crypto_alloc_rng(driver, type, mask);
1780 if (IS_ERR(drng)) {
1781 printk(KERN_ERR "alg: drbg: could not allocate DRNG handle for "
1782 "%s\n", driver);
1783 kzfree(buf);
1784 return -ENOMEM;
1785 }
1786
1787 test_data.testentropy = &testentropy;
1788 drbg_string_fill(&testentropy, test->entropy, test->entropylen);
1789 drbg_string_fill(&pers, test->pers, test->perslen);
1790 ret = crypto_drbg_reset_test(drng, &pers, &test_data);
1791 if (ret) {
1792 printk(KERN_ERR "alg: drbg: Failed to reset rng\n");
1793 goto outbuf;
1794 }
1795
1796 drbg_string_fill(&addtl, test->addtla, test->addtllen);
1797 if (pr) {
1798 drbg_string_fill(&testentropy, test->entpra, test->entprlen);
1799 ret = crypto_drbg_get_bytes_addtl_test(drng,
1800 buf, test->expectedlen, &addtl, &test_data);
1801 } else {
1802 ret = crypto_drbg_get_bytes_addtl(drng,
1803 buf, test->expectedlen, &addtl);
1804 }
1805 if (ret <= 0) {
1806 printk(KERN_ERR "alg: drbg: could not obtain random data for "
1807 "driver %s\n", driver);
1808 goto outbuf;
1809 }
1810
1811 drbg_string_fill(&addtl, test->addtlb, test->addtllen);
1812 if (pr) {
1813 drbg_string_fill(&testentropy, test->entprb, test->entprlen);
1814 ret = crypto_drbg_get_bytes_addtl_test(drng,
1815 buf, test->expectedlen, &addtl, &test_data);
1816 } else {
1817 ret = crypto_drbg_get_bytes_addtl(drng,
1818 buf, test->expectedlen, &addtl);
1819 }
1820 if (ret <= 0) {
1821 printk(KERN_ERR "alg: drbg: could not obtain random data for "
1822 "driver %s\n", driver);
1823 goto outbuf;
1824 }
1825
1826 ret = memcmp(test->expected, buf, test->expectedlen);
1827
1828outbuf:
1829 crypto_free_rng(drng);
1830 kzfree(buf);
1831 return ret;
1832}
1833
1834
1835static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver,
1836 u32 type, u32 mask)
1837{
1838 int err = 0;
1839 int pr = 0;
1840 int i = 0;
1841 struct drbg_testvec *template = desc->suite.drbg.vecs;
1842 unsigned int tcount = desc->suite.drbg.count;
1843
1844 if (0 == memcmp(driver, "drbg_pr_", 8))
1845 pr = 1;
1846
1847 for (i = 0; i < tcount; i++) {
1848 err = drbg_cavs_test(&template[i], pr, driver, type, mask);
1849 if (err) {
1850 printk(KERN_ERR "alg: drbg: Test %d failed for %s\n",
1851 i, driver);
1852 err = -EINVAL;
1853 break;
1854 }
1855 }
1856 return err;
1857
1858}
1859
1718static int alg_test_null(const struct alg_test_desc *desc, 1860static int alg_test_null(const struct alg_test_desc *desc,
1719 const char *driver, u32 type, u32 mask) 1861 const char *driver, u32 type, u32 mask)
1720{ 1862{
@@ -2458,6 +2600,152 @@ static const struct alg_test_desc alg_test_descs[] = {
2458 .alg = "digest_null", 2600 .alg = "digest_null",
2459 .test = alg_test_null, 2601 .test = alg_test_null,
2460 }, { 2602 }, {
2603 .alg = "drbg_nopr_ctr_aes128",
2604 .test = alg_test_drbg,
2605 .fips_allowed = 1,
2606 .suite = {
2607 .drbg = {
2608 .vecs = drbg_nopr_ctr_aes128_tv_template,
2609 .count = ARRAY_SIZE(drbg_nopr_ctr_aes128_tv_template)
2610 }
2611 }
2612 }, {
2613 .alg = "drbg_nopr_ctr_aes192",
2614 .test = alg_test_drbg,
2615 .fips_allowed = 1,
2616 .suite = {
2617 .drbg = {
2618 .vecs = drbg_nopr_ctr_aes192_tv_template,
2619 .count = ARRAY_SIZE(drbg_nopr_ctr_aes192_tv_template)
2620 }
2621 }
2622 }, {
2623 .alg = "drbg_nopr_ctr_aes256",
2624 .test = alg_test_drbg,
2625 .fips_allowed = 1,
2626 .suite = {
2627 .drbg = {
2628 .vecs = drbg_nopr_ctr_aes256_tv_template,
2629 .count = ARRAY_SIZE(drbg_nopr_ctr_aes256_tv_template)
2630 }
2631 }
2632 }, {
2633 /*
2634 * There is no need to specifically test the DRBG with every
2635 * backend cipher -- covered by drbg_nopr_hmac_sha256 test
2636 */
2637 .alg = "drbg_nopr_hmac_sha1",
2638 .fips_allowed = 1,
2639 .test = alg_test_null,
2640 }, {
2641 .alg = "drbg_nopr_hmac_sha256",
2642 .test = alg_test_drbg,
2643 .fips_allowed = 1,
2644 .suite = {
2645 .drbg = {
2646 .vecs = drbg_nopr_hmac_sha256_tv_template,
2647 .count =
2648 ARRAY_SIZE(drbg_nopr_hmac_sha256_tv_template)
2649 }
2650 }
2651 }, {
2652 /* covered by drbg_nopr_hmac_sha256 test */
2653 .alg = "drbg_nopr_hmac_sha384",
2654 .fips_allowed = 1,
2655 .test = alg_test_null,
2656 }, {
2657 .alg = "drbg_nopr_hmac_sha512",
2658 .test = alg_test_null,
2659 .fips_allowed = 1,
2660 }, {
2661 .alg = "drbg_nopr_sha1",
2662 .fips_allowed = 1,
2663 .test = alg_test_null,
2664 }, {
2665 .alg = "drbg_nopr_sha256",
2666 .test = alg_test_drbg,
2667 .fips_allowed = 1,
2668 .suite = {
2669 .drbg = {
2670 .vecs = drbg_nopr_sha256_tv_template,
2671 .count = ARRAY_SIZE(drbg_nopr_sha256_tv_template)
2672 }
2673 }
2674 }, {
2675 /* covered by drbg_nopr_sha256 test */
2676 .alg = "drbg_nopr_sha384",
2677 .fips_allowed = 1,
2678 .test = alg_test_null,
2679 }, {
2680 .alg = "drbg_nopr_sha512",
2681 .fips_allowed = 1,
2682 .test = alg_test_null,
2683 }, {
2684 .alg = "drbg_pr_ctr_aes128",
2685 .test = alg_test_drbg,
2686 .fips_allowed = 1,
2687 .suite = {
2688 .drbg = {
2689 .vecs = drbg_pr_ctr_aes128_tv_template,
2690 .count = ARRAY_SIZE(drbg_pr_ctr_aes128_tv_template)
2691 }
2692 }
2693 }, {
2694 /* covered by drbg_pr_ctr_aes128 test */
2695 .alg = "drbg_pr_ctr_aes192",
2696 .fips_allowed = 1,
2697 .test = alg_test_null,
2698 }, {
2699 .alg = "drbg_pr_ctr_aes256",
2700 .fips_allowed = 1,
2701 .test = alg_test_null,
2702 }, {
2703 .alg = "drbg_pr_hmac_sha1",
2704 .fips_allowed = 1,
2705 .test = alg_test_null,
2706 }, {
2707 .alg = "drbg_pr_hmac_sha256",
2708 .test = alg_test_drbg,
2709 .fips_allowed = 1,
2710 .suite = {
2711 .drbg = {
2712 .vecs = drbg_pr_hmac_sha256_tv_template,
2713 .count = ARRAY_SIZE(drbg_pr_hmac_sha256_tv_template)
2714 }
2715 }
2716 }, {
2717 /* covered by drbg_pr_hmac_sha256 test */
2718 .alg = "drbg_pr_hmac_sha384",
2719 .fips_allowed = 1,
2720 .test = alg_test_null,
2721 }, {
2722 .alg = "drbg_pr_hmac_sha512",
2723 .test = alg_test_null,
2724 .fips_allowed = 1,
2725 }, {
2726 .alg = "drbg_pr_sha1",
2727 .fips_allowed = 1,
2728 .test = alg_test_null,
2729 }, {
2730 .alg = "drbg_pr_sha256",
2731 .test = alg_test_drbg,
2732 .fips_allowed = 1,
2733 .suite = {
2734 .drbg = {
2735 .vecs = drbg_pr_sha256_tv_template,
2736 .count = ARRAY_SIZE(drbg_pr_sha256_tv_template)
2737 }
2738 }
2739 }, {
2740 /* covered by drbg_pr_sha256 test */
2741 .alg = "drbg_pr_sha384",
2742 .fips_allowed = 1,
2743 .test = alg_test_null,
2744 }, {
2745 .alg = "drbg_pr_sha512",
2746 .fips_allowed = 1,
2747 .test = alg_test_null,
2748 }, {
2461 .alg = "ecb(__aes-aesni)", 2749 .alg = "ecb(__aes-aesni)",
2462 .test = alg_test_null, 2750 .test = alg_test_null,
2463 .fips_allowed = 1, 2751 .fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 69d0dd8ef27e..6597203eccfa 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -32,7 +32,7 @@
32#define MAX_DIGEST_SIZE 64 32#define MAX_DIGEST_SIZE 64
33#define MAX_TAP 8 33#define MAX_TAP 8
34 34
35#define MAX_KEYLEN 56 35#define MAX_KEYLEN 160
36#define MAX_IVLEN 32 36#define MAX_IVLEN 32
37 37
38struct hash_testvec { 38struct hash_testvec {
@@ -92,6 +92,21 @@ struct cprng_testvec {
92 unsigned short loops; 92 unsigned short loops;
93}; 93};
94 94
95struct drbg_testvec {
96 unsigned char *entropy;
97 size_t entropylen;
98 unsigned char *entpra;
99 unsigned char *entprb;
100 size_t entprlen;
101 unsigned char *addtla;
102 unsigned char *addtlb;
103 size_t addtllen;
104 unsigned char *pers;
105 size_t perslen;
106 unsigned char *expected;
107 size_t expectedlen;
108};
109
95static char zeroed_string[48]; 110static char zeroed_string[48];
96 111
97/* 112/*
@@ -1807,18 +1822,59 @@ static struct hash_testvec tgr128_tv_template[] = {
1807 }, 1822 },
1808}; 1823};
1809 1824
1810#define GHASH_TEST_VECTORS 1 1825#define GHASH_TEST_VECTORS 5
1811 1826
1812static struct hash_testvec ghash_tv_template[] = 1827static struct hash_testvec ghash_tv_template[] =
1813{ 1828{
1814 { 1829 {
1815 1830 .key = "\xdf\xa6\xbf\x4d\xed\x81\xdb\x03"
1816 .key = "\xdf\xa6\xbf\x4d\xed\x81\xdb\x03\xff\xca\xff\x95\xf8\x30\xf0\x61", 1831 "\xff\xca\xff\x95\xf8\x30\xf0\x61",
1817 .ksize = 16, 1832 .ksize = 16,
1818 .plaintext = "\x95\x2b\x2a\x56\xa5\x60\x04a\xc0\xb3\x2b\x66\x56\xa0\x5b\x40\xb6", 1833 .plaintext = "\x95\x2b\x2a\x56\xa5\x60\x04a\xc0"
1834 "\xb3\x2b\x66\x56\xa0\x5b\x40\xb6",
1819 .psize = 16, 1835 .psize = 16,
1820 .digest = "\xda\x53\xeb\x0a\xd2\xc5\x5b\xb6" 1836 .digest = "\xda\x53\xeb\x0a\xd2\xc5\x5b\xb6"
1821 "\x4f\xc4\x80\x2c\xc3\xfe\xda\x60", 1837 "\x4f\xc4\x80\x2c\xc3\xfe\xda\x60",
1838 }, {
1839 .key = "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
1840 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
1841 .ksize = 16,
1842 .plaintext = "what do ya want for nothing?",
1843 .psize = 28,
1844 .digest = "\x3e\x1f\x5c\x4d\x65\xf0\xef\xce"
1845 "\x0d\x61\x06\x27\x66\x51\xd5\xe2",
1846 .np = 2,
1847 .tap = {14, 14}
1848 }, {
1849 .key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
1850 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
1851 .ksize = 16,
1852 .plaintext = "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
1853 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
1854 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd"
1855 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
1856 .psize = 50,
1857 .digest = "\xfb\x49\x8a\x36\xe1\x96\xe1\x96"
1858 "\xe1\x96\xe1\x96\xe1\x96\xe1\x96",
1859 }, {
1860 .key = "\xda\x53\xeb\x0a\xd2\xc5\x5b\xb6"
1861 "\x4f\xc4\x80\x2c\xc3\xfe\xda\x60",
1862 .ksize = 16,
1863 .plaintext = "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
1864 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
1865 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
1866 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
1867 .psize = 50,
1868 .digest = "\x2b\x5c\x0c\x7f\x52\xd1\x60\xc2"
1869 "\x49\xed\x6e\x32\x7a\xa9\xbe\x08",
1870 }, {
1871 .key = "\x95\x2b\x2a\x56\xa5\x60\x04a\xc0"
1872 "\xb3\x2b\x66\x56\xa0\x5b\x40\xb6",
1873 .ksize = 16,
1874 .plaintext = "Test With Truncation",
1875 .psize = 20,
1876 .digest = "\xf8\x94\x87\x2a\x4b\x63\x99\x28"
1877 "\x23\xf7\x93\xf7\x19\xf5\x96\xd9",
1822 }, 1878 },
1823}; 1879};
1824 1880
@@ -3097,8 +3153,8 @@ static struct cipher_testvec des_enc_tv_template[] = {
3097 "\x5F\x62\xC7\x72\xD9\xFC\xCB\x9A", 3153 "\x5F\x62\xC7\x72\xD9\xFC\xCB\x9A",
3098 .rlen = 248, 3154 .rlen = 248,
3099 .also_non_np = 1, 3155 .also_non_np = 1,
3100 .np = 2, 3156 .np = 3,
3101 .tap = { 248 - 8, 8 }, 3157 .tap = { 248 - 10, 2, 8 },
3102 }, 3158 },
3103}; 3159};
3104 3160
@@ -3207,8 +3263,8 @@ static struct cipher_testvec des_dec_tv_template[] = {
3207 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB", 3263 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB",
3208 .rlen = 248, 3264 .rlen = 248,
3209 .also_non_np = 1, 3265 .also_non_np = 1,
3210 .np = 2, 3266 .np = 3,
3211 .tap = { 248 - 8, 8 }, 3267 .tap = { 248 - 10, 2, 8 },
3212 }, 3268 },
3213}; 3269};
3214 3270
@@ -3333,8 +3389,8 @@ static struct cipher_testvec des_cbc_enc_tv_template[] = {
3333 "\xC6\x4A\xF3\x55\xC7\x29\x2E\x63", 3389 "\xC6\x4A\xF3\x55\xC7\x29\x2E\x63",
3334 .rlen = 248, 3390 .rlen = 248,
3335 .also_non_np = 1, 3391 .also_non_np = 1,
3336 .np = 2, 3392 .np = 3,
3337 .tap = { 248 - 8, 8 }, 3393 .tap = { 248 - 10, 2, 8 },
3338 }, 3394 },
3339}; 3395};
3340 3396
@@ -3442,8 +3498,8 @@ static struct cipher_testvec des_cbc_dec_tv_template[] = {
3442 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB", 3498 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB",
3443 .rlen = 248, 3499 .rlen = 248,
3444 .also_non_np = 1, 3500 .also_non_np = 1,
3445 .np = 2, 3501 .np = 3,
3446 .tap = { 248 - 8, 8 }, 3502 .tap = { 248 - 10, 2, 8 },
3447 }, 3503 },
3448}; 3504};
3449 3505
@@ -3517,8 +3573,8 @@ static struct cipher_testvec des_ctr_enc_tv_template[] = {
3517 "\x69\x74\xA1\x06\x46\x0F\x4E\x75", 3573 "\x69\x74\xA1\x06\x46\x0F\x4E\x75",
3518 .rlen = 248, 3574 .rlen = 248,
3519 .also_non_np = 1, 3575 .also_non_np = 1,
3520 .np = 2, 3576 .np = 3,
3521 .tap = { 248 - 8, 8 }, 3577 .tap = { 248 - 10, 2, 8 },
3522 }, { /* Generated with Crypto++ */ 3578 }, { /* Generated with Crypto++ */
3523 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55", 3579 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55",
3524 .klen = 8, 3580 .klen = 8,
@@ -3663,8 +3719,8 @@ static struct cipher_testvec des_ctr_dec_tv_template[] = {
3663 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB", 3719 "\xC6\x2F\xBB\x24\x8D\x19\x82\xEB",
3664 .rlen = 248, 3720 .rlen = 248,
3665 .also_non_np = 1, 3721 .also_non_np = 1,
3666 .np = 2, 3722 .np = 3,
3667 .tap = { 248 - 8, 8 }, 3723 .tap = { 248 - 10, 2, 8 },
3668 }, { /* Generated with Crypto++ */ 3724 }, { /* Generated with Crypto++ */
3669 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55", 3725 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55",
3670 .klen = 8, 3726 .klen = 8,
@@ -3899,8 +3955,8 @@ static struct cipher_testvec des3_ede_enc_tv_template[] = {
3899 "\xD8\x45\xFF\x33\xBA\xBB\x2B\x63", 3955 "\xD8\x45\xFF\x33\xBA\xBB\x2B\x63",
3900 .rlen = 496, 3956 .rlen = 496,
3901 .also_non_np = 1, 3957 .also_non_np = 1,
3902 .np = 2, 3958 .np = 3,
3903 .tap = { 496 - 16, 16 }, 3959 .tap = { 496 - 20, 4, 16 },
3904 }, 3960 },
3905}; 3961};
3906 3962
@@ -4064,8 +4120,8 @@ static struct cipher_testvec des3_ede_dec_tv_template[] = {
4064 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47", 4120 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47",
4065 .rlen = 496, 4121 .rlen = 496,
4066 .also_non_np = 1, 4122 .also_non_np = 1,
4067 .np = 2, 4123 .np = 3,
4068 .tap = { 496 - 16, 16 }, 4124 .tap = { 496 - 20, 4, 16 },
4069 }, 4125 },
4070}; 4126};
4071 4127
@@ -4244,8 +4300,8 @@ static struct cipher_testvec des3_ede_cbc_enc_tv_template[] = {
4244 "\x95\x63\x73\xA2\x44\xAC\xF8\xA5", 4300 "\x95\x63\x73\xA2\x44\xAC\xF8\xA5",
4245 .rlen = 496, 4301 .rlen = 496,
4246 .also_non_np = 1, 4302 .also_non_np = 1,
4247 .np = 2, 4303 .np = 3,
4248 .tap = { 496 - 16, 16 }, 4304 .tap = { 496 - 20, 4, 16 },
4249 }, 4305 },
4250}; 4306};
4251 4307
@@ -4424,8 +4480,8 @@ static struct cipher_testvec des3_ede_cbc_dec_tv_template[] = {
4424 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47", 4480 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47",
4425 .rlen = 496, 4481 .rlen = 496,
4426 .also_non_np = 1, 4482 .also_non_np = 1,
4427 .np = 2, 4483 .np = 3,
4428 .tap = { 496 - 16, 16 }, 4484 .tap = { 496 - 20, 4, 16 },
4429 }, 4485 },
4430}; 4486};
4431 4487
@@ -4564,8 +4620,8 @@ static struct cipher_testvec des3_ede_ctr_enc_tv_template[] = {
4564 "\x5C\xEE\xFC\xCF\xC4\x70\x00\x34", 4620 "\x5C\xEE\xFC\xCF\xC4\x70\x00\x34",
4565 .rlen = 496, 4621 .rlen = 496,
4566 .also_non_np = 1, 4622 .also_non_np = 1,
4567 .np = 2, 4623 .np = 3,
4568 .tap = { 496 - 16, 16 }, 4624 .tap = { 496 - 20, 4, 16 },
4569 }, { /* Generated with Crypto++ */ 4625 }, { /* Generated with Crypto++ */
4570 .key = "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00" 4626 .key = "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00"
4571 "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE" 4627 "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE"
@@ -4842,8 +4898,8 @@ static struct cipher_testvec des3_ede_ctr_dec_tv_template[] = {
4842 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47", 4898 "\xB8\x03\xEA\x7D\xE1\x48\xD3\x47",
4843 .rlen = 496, 4899 .rlen = 496,
4844 .also_non_np = 1, 4900 .also_non_np = 1,
4845 .np = 2, 4901 .np = 3,
4846 .tap = { 496 - 16, 16 }, 4902 .tap = { 496 - 20, 4, 16 },
4847 }, { /* Generated with Crypto++ */ 4903 }, { /* Generated with Crypto++ */
4848 .key = "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00" 4904 .key = "\x9C\xD6\xF3\x9C\xB9\x5A\x67\x00"
4849 "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE" 4905 "\x5A\x67\x00\x2D\xCE\xEB\x2D\xCE"
@@ -5182,8 +5238,8 @@ static struct cipher_testvec bf_enc_tv_template[] = {
5182 "\xC9\x1A\xFB\x5D\xDE\xBB\x43\xF4", 5238 "\xC9\x1A\xFB\x5D\xDE\xBB\x43\xF4",
5183 .rlen = 504, 5239 .rlen = 504,
5184 .also_non_np = 1, 5240 .also_non_np = 1,
5185 .np = 2, 5241 .np = 3,
5186 .tap = { 504 - 8, 8 }, 5242 .tap = { 504 - 10, 2, 8 },
5187 }, 5243 },
5188}; 5244};
5189 5245
@@ -5374,8 +5430,8 @@ static struct cipher_testvec bf_dec_tv_template[] = {
5374 "\x2B\xC2\x59\xF0\x64\xFB\x92\x06", 5430 "\x2B\xC2\x59\xF0\x64\xFB\x92\x06",
5375 .rlen = 504, 5431 .rlen = 504,
5376 .also_non_np = 1, 5432 .also_non_np = 1,
5377 .np = 2, 5433 .np = 3,
5378 .tap = { 504 - 8, 8 }, 5434 .tap = { 504 - 10, 2, 8 },
5379 }, 5435 },
5380}; 5436};
5381 5437
@@ -5531,8 +5587,8 @@ static struct cipher_testvec bf_cbc_enc_tv_template[] = {
5531 "\xB4\x98\xD8\x6B\x74\xE7\x65\xF4", 5587 "\xB4\x98\xD8\x6B\x74\xE7\x65\xF4",
5532 .rlen = 504, 5588 .rlen = 504,
5533 .also_non_np = 1, 5589 .also_non_np = 1,
5534 .np = 2, 5590 .np = 3,
5535 .tap = { 504 - 8, 8 }, 5591 .tap = { 504 - 10, 2, 8 },
5536 }, 5592 },
5537}; 5593};
5538 5594
@@ -5688,8 +5744,8 @@ static struct cipher_testvec bf_cbc_dec_tv_template[] = {
5688 "\x2B\xC2\x59\xF0\x64\xFB\x92\x06", 5744 "\x2B\xC2\x59\xF0\x64\xFB\x92\x06",
5689 .rlen = 504, 5745 .rlen = 504,
5690 .also_non_np = 1, 5746 .also_non_np = 1,
5691 .np = 2, 5747 .np = 3,
5692 .tap = { 504 - 8, 8 }, 5748 .tap = { 504 - 10, 2, 8 },
5693 }, 5749 },
5694}; 5750};
5695 5751
@@ -6694,8 +6750,8 @@ static struct cipher_testvec tf_enc_tv_template[] = {
6694 "\x2C\x75\x64\xC4\xCA\xC1\x7E\xD5", 6750 "\x2C\x75\x64\xC4\xCA\xC1\x7E\xD5",
6695 .rlen = 496, 6751 .rlen = 496,
6696 .also_non_np = 1, 6752 .also_non_np = 1,
6697 .np = 2, 6753 .np = 3,
6698 .tap = { 496 - 16, 16 }, 6754 .tap = { 496 - 20, 4, 16 },
6699 }, 6755 },
6700}; 6756};
6701 6757
@@ -6862,8 +6918,8 @@ static struct cipher_testvec tf_dec_tv_template[] = {
6862 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 6918 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
6863 .rlen = 496, 6919 .rlen = 496,
6864 .also_non_np = 1, 6920 .also_non_np = 1,
6865 .np = 2, 6921 .np = 3,
6866 .tap = { 496 - 16, 16 }, 6922 .tap = { 496 - 20, 4, 16 },
6867 }, 6923 },
6868}; 6924};
6869 6925
@@ -7045,8 +7101,8 @@ static struct cipher_testvec tf_cbc_enc_tv_template[] = {
7045 "\x0A\xA3\x30\x10\x26\x25\x41\x2C", 7101 "\x0A\xA3\x30\x10\x26\x25\x41\x2C",
7046 .rlen = 496, 7102 .rlen = 496,
7047 .also_non_np = 1, 7103 .also_non_np = 1,
7048 .np = 2, 7104 .np = 3,
7049 .tap = { 496 - 16, 16 }, 7105 .tap = { 496 - 20, 4, 16 },
7050 }, 7106 },
7051}; 7107};
7052 7108
@@ -7228,8 +7284,8 @@ static struct cipher_testvec tf_cbc_dec_tv_template[] = {
7228 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 7284 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
7229 .rlen = 496, 7285 .rlen = 496,
7230 .also_non_np = 1, 7286 .also_non_np = 1,
7231 .np = 2, 7287 .np = 3,
7232 .tap = { 496 - 16, 16 }, 7288 .tap = { 496 - 20, 4, 16 },
7233 }, 7289 },
7234}; 7290};
7235 7291
@@ -8302,8 +8358,8 @@ static struct cipher_testvec tf_lrw_enc_tv_template[] = {
8302 "\x11\xd7\xb8\x6e\xea\xe1\x80\x30", 8358 "\x11\xd7\xb8\x6e\xea\xe1\x80\x30",
8303 .rlen = 512, 8359 .rlen = 512,
8304 .also_non_np = 1, 8360 .also_non_np = 1,
8305 .np = 2, 8361 .np = 3,
8306 .tap = { 512 - 16, 16 }, 8362 .tap = { 512 - 20, 4, 16 },
8307 }, 8363 },
8308}; 8364};
8309 8365
@@ -8555,8 +8611,8 @@ static struct cipher_testvec tf_lrw_dec_tv_template[] = {
8555 "\x21\xc4\xc2\x75\x67\x89\x37\x0a", 8611 "\x21\xc4\xc2\x75\x67\x89\x37\x0a",
8556 .rlen = 512, 8612 .rlen = 512,
8557 .also_non_np = 1, 8613 .also_non_np = 1,
8558 .np = 2, 8614 .np = 3,
8559 .tap = { 512 - 16, 16 }, 8615 .tap = { 512 - 20, 4, 16 },
8560 }, 8616 },
8561}; 8617};
8562 8618
@@ -8897,8 +8953,8 @@ static struct cipher_testvec tf_xts_enc_tv_template[] = {
8897 "\x37\x30\xe1\x91\x8d\xb3\x2a\xff", 8953 "\x37\x30\xe1\x91\x8d\xb3\x2a\xff",
8898 .rlen = 512, 8954 .rlen = 512,
8899 .also_non_np = 1, 8955 .also_non_np = 1,
8900 .np = 2, 8956 .np = 3,
8901 .tap = { 512 - 16, 16 }, 8957 .tap = { 512 - 20, 4, 16 },
8902 }, 8958 },
8903}; 8959};
8904 8960
@@ -9240,8 +9296,8 @@ static struct cipher_testvec tf_xts_dec_tv_template[] = {
9240 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 9296 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
9241 .rlen = 512, 9297 .rlen = 512,
9242 .also_non_np = 1, 9298 .also_non_np = 1,
9243 .np = 2, 9299 .np = 3,
9244 .tap = { 512 - 16, 16 }, 9300 .tap = { 512 - 20, 4, 16 },
9245 }, 9301 },
9246}; 9302};
9247 9303
@@ -9438,8 +9494,8 @@ static struct cipher_testvec serpent_enc_tv_template[] = {
9438 "\xF4\x46\x2E\xEB\xAC\xF3\xD2\xB7", 9494 "\xF4\x46\x2E\xEB\xAC\xF3\xD2\xB7",
9439 .rlen = 496, 9495 .rlen = 496,
9440 .also_non_np = 1, 9496 .also_non_np = 1,
9441 .np = 2, 9497 .np = 3,
9442 .tap = { 496 - 16, 16 }, 9498 .tap = { 496 - 20, 4, 16 },
9443 }, 9499 },
9444}; 9500};
9445 9501
@@ -9664,8 +9720,8 @@ static struct cipher_testvec serpent_dec_tv_template[] = {
9664 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 9720 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
9665 .rlen = 496, 9721 .rlen = 496,
9666 .also_non_np = 1, 9722 .also_non_np = 1,
9667 .np = 2, 9723 .np = 3,
9668 .tap = { 496 - 16, 16 }, 9724 .tap = { 496 - 20, 4, 16 },
9669 }, 9725 },
9670}; 9726};
9671 9727
@@ -9846,8 +9902,8 @@ static struct cipher_testvec serpent_cbc_enc_tv_template[] = {
9846 "\xBC\x08\x3A\xA2\x29\xB3\xDF\xD1", 9902 "\xBC\x08\x3A\xA2\x29\xB3\xDF\xD1",
9847 .rlen = 496, 9903 .rlen = 496,
9848 .also_non_np = 1, 9904 .also_non_np = 1,
9849 .np = 2, 9905 .np = 3,
9850 .tap = { 496 - 16, 16 }, 9906 .tap = { 496 - 20, 4, 16 },
9851 }, 9907 },
9852}; 9908};
9853 9909
@@ -9987,8 +10043,8 @@ static struct cipher_testvec serpent_cbc_dec_tv_template[] = {
9987 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 10043 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
9988 .rlen = 496, 10044 .rlen = 496,
9989 .also_non_np = 1, 10045 .also_non_np = 1,
9990 .np = 2, 10046 .np = 3,
9991 .tap = { 496 - 16, 16 }, 10047 .tap = { 496 - 20, 4, 16 },
9992 }, 10048 },
9993}; 10049};
9994 10050
@@ -11061,8 +11117,8 @@ static struct cipher_testvec serpent_lrw_enc_tv_template[] = {
11061 "\xd9\x51\x0f\xd7\x94\x2f\xc5\xa7", 11117 "\xd9\x51\x0f\xd7\x94\x2f\xc5\xa7",
11062 .rlen = 512, 11118 .rlen = 512,
11063 .also_non_np = 1, 11119 .also_non_np = 1,
11064 .np = 2, 11120 .np = 3,
11065 .tap = { 512 - 16, 16 }, 11121 .tap = { 512 - 20, 4, 16 },
11066 }, 11122 },
11067}; 11123};
11068 11124
@@ -11314,8 +11370,8 @@ static struct cipher_testvec serpent_lrw_dec_tv_template[] = {
11314 "\x21\xc4\xc2\x75\x67\x89\x37\x0a", 11370 "\x21\xc4\xc2\x75\x67\x89\x37\x0a",
11315 .rlen = 512, 11371 .rlen = 512,
11316 .also_non_np = 1, 11372 .also_non_np = 1,
11317 .np = 2, 11373 .np = 3,
11318 .tap = { 512 - 16, 16 }, 11374 .tap = { 512 - 20, 4, 16 },
11319 }, 11375 },
11320}; 11376};
11321 11377
@@ -11656,8 +11712,8 @@ static struct cipher_testvec serpent_xts_enc_tv_template[] = {
11656 "\xd4\xa0\x91\x98\x11\x5f\x4d\xb1", 11712 "\xd4\xa0\x91\x98\x11\x5f\x4d\xb1",
11657 .rlen = 512, 11713 .rlen = 512,
11658 .also_non_np = 1, 11714 .also_non_np = 1,
11659 .np = 2, 11715 .np = 3,
11660 .tap = { 512 - 16, 16 }, 11716 .tap = { 512 - 20, 4, 16 },
11661 }, 11717 },
11662}; 11718};
11663 11719
@@ -11999,8 +12055,8 @@ static struct cipher_testvec serpent_xts_dec_tv_template[] = {
11999 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 12055 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
12000 .rlen = 512, 12056 .rlen = 512,
12001 .also_non_np = 1, 12057 .also_non_np = 1,
12002 .np = 2, 12058 .np = 3,
12003 .tap = { 512 - 16, 16 }, 12059 .tap = { 512 - 20, 4, 16 },
12004 }, 12060 },
12005}; 12061};
12006 12062
@@ -12182,8 +12238,8 @@ static struct cipher_testvec cast6_enc_tv_template[] = {
12182 "\x11\x74\x93\x57\xB4\x7E\xC6\x00", 12238 "\x11\x74\x93\x57\xB4\x7E\xC6\x00",
12183 .rlen = 496, 12239 .rlen = 496,
12184 .also_non_np = 1, 12240 .also_non_np = 1,
12185 .np = 2, 12241 .np = 3,
12186 .tap = { 496 - 16, 16 }, 12242 .tap = { 496 - 20, 4, 16 },
12187 }, 12243 },
12188}; 12244};
12189 12245
@@ -12353,8 +12409,8 @@ static struct cipher_testvec cast6_dec_tv_template[] = {
12353 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 12409 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
12354 .rlen = 496, 12410 .rlen = 496,
12355 .also_non_np = 1, 12411 .also_non_np = 1,
12356 .np = 2, 12412 .np = 3,
12357 .tap = { 496 - 16, 16 }, 12413 .tap = { 496 - 20, 4, 16 },
12358 }, 12414 },
12359}; 12415};
12360 12416
@@ -12494,8 +12550,8 @@ static struct cipher_testvec cast6_cbc_enc_tv_template[] = {
12494 "\x22\x46\x89\x2D\x0F\x2B\x08\x24", 12550 "\x22\x46\x89\x2D\x0F\x2B\x08\x24",
12495 .rlen = 496, 12551 .rlen = 496,
12496 .also_non_np = 1, 12552 .also_non_np = 1,
12497 .np = 2, 12553 .np = 3,
12498 .tap = { 496 - 16, 16 }, 12554 .tap = { 496 - 20, 4, 16 },
12499 }, 12555 },
12500}; 12556};
12501 12557
@@ -12635,8 +12691,8 @@ static struct cipher_testvec cast6_cbc_dec_tv_template[] = {
12635 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 12691 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
12636 .rlen = 496, 12692 .rlen = 496,
12637 .also_non_np = 1, 12693 .also_non_np = 1,
12638 .np = 2, 12694 .np = 3,
12639 .tap = { 496 - 16, 16 }, 12695 .tap = { 496 - 20, 4, 16 },
12640 }, 12696 },
12641}; 12697};
12642 12698
@@ -12792,8 +12848,8 @@ static struct cipher_testvec cast6_ctr_enc_tv_template[] = {
12792 "\xF9\xC5\xDD\x27\xB3\x39\xCB\xCB", 12848 "\xF9\xC5\xDD\x27\xB3\x39\xCB\xCB",
12793 .rlen = 496, 12849 .rlen = 496,
12794 .also_non_np = 1, 12850 .also_non_np = 1,
12795 .np = 2, 12851 .np = 3,
12796 .tap = { 496 - 16, 16 }, 12852 .tap = { 496 - 20, 4, 16 },
12797 }, 12853 },
12798}; 12854};
12799 12855
@@ -12949,8 +13005,8 @@ static struct cipher_testvec cast6_ctr_dec_tv_template[] = {
12949 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 13005 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
12950 .rlen = 496, 13006 .rlen = 496,
12951 .also_non_np = 1, 13007 .also_non_np = 1,
12952 .np = 2, 13008 .np = 3,
12953 .tap = { 496 - 16, 16 }, 13009 .tap = { 496 - 20, 4, 16 },
12954 }, 13010 },
12955}; 13011};
12956 13012
@@ -13096,8 +13152,8 @@ static struct cipher_testvec cast6_lrw_enc_tv_template[] = {
13096 "\xC4\xF5\x99\x61\xBC\xBB\x5B\x46", 13152 "\xC4\xF5\x99\x61\xBC\xBB\x5B\x46",
13097 .rlen = 512, 13153 .rlen = 512,
13098 .also_non_np = 1, 13154 .also_non_np = 1,
13099 .np = 2, 13155 .np = 3,
13100 .tap = { 512 - 16, 16 }, 13156 .tap = { 512 - 20, 4, 16 },
13101 }, 13157 },
13102}; 13158};
13103 13159
@@ -13243,8 +13299,8 @@ static struct cipher_testvec cast6_lrw_dec_tv_template[] = {
13243 "\x21\xc4\xc2\x75\x67\x89\x37\x0a", 13299 "\x21\xc4\xc2\x75\x67\x89\x37\x0a",
13244 .rlen = 512, 13300 .rlen = 512,
13245 .also_non_np = 1, 13301 .also_non_np = 1,
13246 .np = 2, 13302 .np = 3,
13247 .tap = { 512 - 16, 16 }, 13303 .tap = { 512 - 20, 4, 16 },
13248 }, 13304 },
13249}; 13305};
13250 13306
@@ -13392,8 +13448,8 @@ static struct cipher_testvec cast6_xts_enc_tv_template[] = {
13392 "\x22\x60\x4E\xE8\xA4\x5D\x85\xB9", 13448 "\x22\x60\x4E\xE8\xA4\x5D\x85\xB9",
13393 .rlen = 512, 13449 .rlen = 512,
13394 .also_non_np = 1, 13450 .also_non_np = 1,
13395 .np = 2, 13451 .np = 3,
13396 .tap = { 512 - 16, 16 }, 13452 .tap = { 512 - 20, 4, 16 },
13397 }, 13453 },
13398}; 13454};
13399 13455
@@ -13541,8 +13597,8 @@ static struct cipher_testvec cast6_xts_dec_tv_template[] = {
13541 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 13597 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
13542 .rlen = 512, 13598 .rlen = 512,
13543 .also_non_np = 1, 13599 .also_non_np = 1,
13544 .np = 2, 13600 .np = 3,
13545 .tap = { 512 - 16, 16 }, 13601 .tap = { 512 - 20, 4, 16 },
13546 }, 13602 },
13547}; 13603};
13548 13604
@@ -13749,8 +13805,8 @@ static struct cipher_testvec aes_enc_tv_template[] = {
13749 "\x17\xBB\xC0\x6B\x62\x3F\x56\xE9", 13805 "\x17\xBB\xC0\x6B\x62\x3F\x56\xE9",
13750 .rlen = 496, 13806 .rlen = 496,
13751 .also_non_np = 1, 13807 .also_non_np = 1,
13752 .np = 2, 13808 .np = 3,
13753 .tap = { 496 - 16, 16 }, 13809 .tap = { 496 - 20, 4, 16 },
13754 }, 13810 },
13755}; 13811};
13756 13812
@@ -13921,8 +13977,8 @@ static struct cipher_testvec aes_dec_tv_template[] = {
13921 "\xED\x56\xBF\x28\xB4\x1D\x86\x12", 13977 "\xED\x56\xBF\x28\xB4\x1D\x86\x12",
13922 .rlen = 496, 13978 .rlen = 496,
13923 .also_non_np = 1, 13979 .also_non_np = 1,
13924 .np = 2, 13980 .np = 3,
13925 .tap = { 496 - 16, 16 }, 13981 .tap = { 496 - 20, 4, 16 },
13926 }, 13982 },
13927}; 13983};
13928 13984
@@ -14140,8 +14196,8 @@ static struct cipher_testvec aes_cbc_enc_tv_template[] = {
14140 "\xA3\xAA\x13\xCC\x50\xFF\x7B\x02", 14196 "\xA3\xAA\x13\xCC\x50\xFF\x7B\x02",
14141 .rlen = 496, 14197 .rlen = 496,
14142 .also_non_np = 1, 14198 .also_non_np = 1,
14143 .np = 2, 14199 .np = 3,
14144 .tap = { 496 - 16, 16 }, 14200 .tap = { 496 - 20, 4, 16 },
14145 }, 14201 },
14146}; 14202};
14147 14203
@@ -14359,8 +14415,8 @@ static struct cipher_testvec aes_cbc_dec_tv_template[] = {
14359 "\xED\x56\xBF\x28\xB4\x1D\x86\x12", 14415 "\xED\x56\xBF\x28\xB4\x1D\x86\x12",
14360 .rlen = 496, 14416 .rlen = 496,
14361 .also_non_np = 1, 14417 .also_non_np = 1,
14362 .np = 2, 14418 .np = 3,
14363 .tap = { 496 - 16, 16 }, 14419 .tap = { 496 - 20, 4, 16 },
14364 }, 14420 },
14365}; 14421};
14366 14422
@@ -16265,8 +16321,8 @@ static struct cipher_testvec aes_lrw_enc_tv_template[] = {
16265 "\x74\x3f\x7d\x58\x88\x75\xde\x3e", 16321 "\x74\x3f\x7d\x58\x88\x75\xde\x3e",
16266 .rlen = 512, 16322 .rlen = 512,
16267 .also_non_np = 1, 16323 .also_non_np = 1,
16268 .np = 2, 16324 .np = 3,
16269 .tap = { 512 - 16, 16 }, 16325 .tap = { 512 - 20, 4, 16 },
16270 } 16326 }
16271}; 16327};
16272 16328
@@ -16519,8 +16575,8 @@ static struct cipher_testvec aes_lrw_dec_tv_template[] = {
16519 "\x21\xc4\xc2\x75\x67\x89\x37\x0a", 16575 "\x21\xc4\xc2\x75\x67\x89\x37\x0a",
16520 .rlen = 512, 16576 .rlen = 512,
16521 .also_non_np = 1, 16577 .also_non_np = 1,
16522 .np = 2, 16578 .np = 3,
16523 .tap = { 512 - 16, 16 }, 16579 .tap = { 512 - 20, 4, 16 },
16524 } 16580 }
16525}; 16581};
16526 16582
@@ -16861,8 +16917,8 @@ static struct cipher_testvec aes_xts_enc_tv_template[] = {
16861 "\xb9\xc6\xe6\x93\xe1\x48\xc1\x51", 16917 "\xb9\xc6\xe6\x93\xe1\x48\xc1\x51",
16862 .rlen = 512, 16918 .rlen = 512,
16863 .also_non_np = 1, 16919 .also_non_np = 1,
16864 .np = 2, 16920 .np = 3,
16865 .tap = { 512 - 16, 16 }, 16921 .tap = { 512 - 20, 4, 16 },
16866 } 16922 }
16867}; 16923};
16868 16924
@@ -17203,8 +17259,8 @@ static struct cipher_testvec aes_xts_dec_tv_template[] = {
17203 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 17259 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
17204 .rlen = 512, 17260 .rlen = 512,
17205 .also_non_np = 1, 17261 .also_non_np = 1,
17206 .np = 2, 17262 .np = 3,
17207 .tap = { 512 - 16, 16 }, 17263 .tap = { 512 - 20, 4, 16 },
17208 } 17264 }
17209}; 17265};
17210 17266
@@ -17420,8 +17476,8 @@ static struct cipher_testvec aes_ctr_enc_tv_template[] = {
17420 "\xF1\x4C\xE5\xB2\x91\x64\x0C\x51", 17476 "\xF1\x4C\xE5\xB2\x91\x64\x0C\x51",
17421 .rlen = 496, 17477 .rlen = 496,
17422 .also_non_np = 1, 17478 .also_non_np = 1,
17423 .np = 2, 17479 .np = 3,
17424 .tap = { 496 - 16, 16 }, 17480 .tap = { 496 - 20, 4, 16 },
17425 }, { /* Generated with Crypto++ */ 17481 }, { /* Generated with Crypto++ */
17426 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55" 17482 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55"
17427 "\x0F\x32\x55\x78\x9B\xBE\x78\x9B" 17483 "\x0F\x32\x55\x78\x9B\xBE\x78\x9B"
@@ -17775,8 +17831,8 @@ static struct cipher_testvec aes_ctr_dec_tv_template[] = {
17775 "\xED\x56\xBF\x28\xB4\x1D\x86\x12", 17831 "\xED\x56\xBF\x28\xB4\x1D\x86\x12",
17776 .rlen = 496, 17832 .rlen = 496,
17777 .also_non_np = 1, 17833 .also_non_np = 1,
17778 .np = 2, 17834 .np = 3,
17779 .tap = { 496 - 16, 16 }, 17835 .tap = { 496 - 20, 4, 16 },
17780 }, { /* Generated with Crypto++ */ 17836 }, { /* Generated with Crypto++ */
17781 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55" 17837 .key = "\xC9\x83\xA6\xC9\xEC\x0F\x32\x55"
17782 "\x0F\x32\x55\x78\x9B\xBE\x78\x9B" 17838 "\x0F\x32\x55\x78\x9B\xBE\x78\x9B"
@@ -20743,6 +20799,834 @@ static struct cprng_testvec ansi_cprng_aes_tv_template[] = {
20743 }, 20799 },
20744}; 20800};
20745 20801
20802/*
20803 * SP800-90A DRBG Test vectors from
20804 * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
20805 *
20806 * Test vectors for DRBG with prediction resistance. All types of DRBGs
20807 * (Hash, HMAC, CTR) are tested with all permutations of use cases (w/ and
20808 * w/o personalization string, w/ and w/o additional input string).
20809 */
20810static struct drbg_testvec drbg_pr_sha256_tv_template[] = {
20811 {
20812 .entropy = (unsigned char *)
20813 "\x72\x88\x4c\xcd\x6c\x85\x57\x70\xf7\x0b\x8b\x86"
20814 "\xc1\xeb\xd2\x4e\x36\x14\xab\x18\xc4\x9c\xc9\xcf"
20815 "\x1a\xe8\xf7\x7b\x02\x49\x73\xd7\xf1\x42\x7d\xc6"
20816 "\x3f\x29\x2d\xec\xd3\x66\x51\x3f\x1d\x8d\x5b\x4e",
20817 .entropylen = 48,
20818 .entpra = (unsigned char *)
20819 "\x38\x9c\x91\xfa\xc2\xa3\x46\x89\x56\x08\x3f\x62"
20820 "\x73\xd5\x22\xa9\x29\x63\x3a\x1d\xe5\x5d\x5e\x4f"
20821 "\x67\xb0\x67\x7a\x5e\x9e\x0c\x62",
20822 .entprb = (unsigned char *)
20823 "\xb2\x8f\x36\xb2\xf6\x8d\x39\x13\xfa\x6c\x66\xcf"
20824 "\x62\x8a\x7e\x8c\x12\x33\x71\x9c\x69\xe4\xa5\xf0"
20825 "\x8c\xee\xeb\x9c\xf5\x31\x98\x31",
20826 .entprlen = 32,
20827 .expected = (unsigned char *)
20828 "\x52\x7b\xa3\xad\x71\x77\xa4\x49\x42\x04\x61\xc7"
20829 "\xf0\xaf\xa5\xfd\xd3\xb3\x0d\x6a\x61\xba\x35\x49"
20830 "\xbb\xaa\xaf\xe4\x25\x7d\xb5\x48\xaf\x5c\x18\x3d"
20831 "\x33\x8d\x9d\x45\xdf\x98\xd5\x94\xa8\xda\x92\xfe"
20832 "\xc4\x3c\x94\x2a\xcf\x7f\x7b\xf2\xeb\x28\xa9\xf1"
20833 "\xe0\x86\x30\xa8\xfe\xf2\x48\x90\x91\x0c\x75\xb5"
20834 "\x3c\x00\xf0\x4d\x09\x4f\x40\xa7\xa2\x8c\x52\xdf"
20835 "\x52\xef\x17\xbf\x3d\xd1\xa2\x31\xb4\xb8\xdc\xe6"
20836 "\x5b\x0d\x1f\x78\x36\xb4\xe6\x4b\xa7\x11\x25\xd5"
20837 "\x94\xc6\x97\x36\xab\xf0\xe5\x31\x28\x6a\xbb\xce"
20838 "\x30\x81\xa6\x8f\x27\x14\xf8\x1c",
20839 .expectedlen = 128,
20840 .addtla = NULL,
20841 .addtlb = NULL,
20842 .addtllen = 0,
20843 .pers = NULL,
20844 .perslen = 0,
20845 }, {
20846 .entropy = (unsigned char *)
20847 "\x5d\xf2\x14\xbc\xf6\xb5\x4e\x0b\xf0\x0d\x6f\x2d"
20848 "\xe2\x01\x66\x7b\xd0\xa4\x73\xa4\x21\xdd\xb0\xc0"
20849 "\x51\x79\x09\xf4\xea\xa9\x08\xfa\xa6\x67\xe0\xe1"
20850 "\xd1\x88\xa8\xad\xee\x69\x74\xb3\x55\x06\x9b\xf6",
20851 .entropylen = 48,
20852 .entpra = (unsigned char *)
20853 "\xef\x48\x06\xa2\xc2\x45\xf1\x44\xfa\x34\x2c\xeb"
20854 "\x8d\x78\x3c\x09\x8f\x34\x72\x20\xf2\xe7\xfd\x13"
20855 "\x76\x0a\xf6\xdc\x3c\xf5\xc0\x15",
20856 .entprb = (unsigned char *)
20857 "\x4b\xbe\xe5\x24\xed\x6a\x2d\x0c\xdb\x73\x5e\x09"
20858 "\xf9\xad\x67\x7c\x51\x47\x8b\x6b\x30\x2a\xc6\xde"
20859 "\x76\xaa\x55\x04\x8b\x0a\x72\x95",
20860 .entprlen = 32,
20861 .expected = (unsigned char *)
20862 "\x3b\x14\x71\x99\xa1\xda\xa0\x42\xe6\xc8\x85\x32"
20863 "\x70\x20\x32\x53\x9a\xbe\xd1\x1e\x15\xef\xfb\x4c"
20864 "\x25\x6e\x19\x3a\xf0\xb9\xcb\xde\xf0\x3b\xc6\x18"
20865 "\x4d\x85\x5a\x9b\xf1\xe3\xc2\x23\x03\x93\x08\xdb"
20866 "\xa7\x07\x4b\x33\x78\x40\x4d\xeb\x24\xf5\x6e\x81"
20867 "\x4a\x1b\x6e\xa3\x94\x52\x43\xb0\xaf\x2e\x21\xf4"
20868 "\x42\x46\x8e\x90\xed\x34\x21\x75\xea\xda\x67\xb6"
20869 "\xe4\xf6\xff\xc6\x31\x6c\x9a\x5a\xdb\xb3\x97\x13"
20870 "\x09\xd3\x20\x98\x33\x2d\x6d\xd7\xb5\x6a\xa8\xa9"
20871 "\x9a\x5b\xd6\x87\x52\xa1\x89\x2b\x4b\x9c\x64\x60"
20872 "\x50\x47\xa3\x63\x81\x16\xaf\x19",
20873 .expectedlen = 128,
20874 .addtla = (unsigned char *)
20875 "\xbe\x13\xdb\x2a\xe9\xa8\xfe\x09\x97\xe1\xce\x5d"
20876 "\xe8\xbb\xc0\x7c\x4f\xcb\x62\x19\x3f\x0f\xd2\xad"
20877 "\xa9\xd0\x1d\x59\x02\xc4\xff\x70",
20878 .addtlb = (unsigned char *)
20879 "\x6f\x96\x13\xe2\xa7\xf5\x6c\xfe\xdf\x66\xe3\x31"
20880 "\x63\x76\xbf\x20\x27\x06\x49\xf1\xf3\x01\x77\x41"
20881 "\x9f\xeb\xe4\x38\xfe\x67\x00\xcd",
20882 .addtllen = 32,
20883 .pers = NULL,
20884 .perslen = 0,
20885 }, {
20886 .entropy = (unsigned char *)
20887 "\xc6\x1c\xaf\x83\xa2\x56\x38\xf9\xb0\xbc\xd9\x85"
20888 "\xf5\x2e\xc4\x46\x9c\xe1\xb9\x40\x98\x70\x10\x72"
20889 "\xd7\x7d\x15\x85\xa1\x83\x5a\x97\xdf\xc8\xa8\xe8"
20890 "\x03\x4c\xcb\x70\x35\x8b\x90\x94\x46\x8a\x6e\xa1",
20891 .entropylen = 48,
20892 .entpra = (unsigned char *)
20893 "\xc9\x05\xa4\xcf\x28\x80\x4b\x93\x0f\x8b\xc6\xf9"
20894 "\x09\x41\x58\x74\xe9\xec\x28\xc7\x53\x0a\x73\x60"
20895 "\xba\x0a\xde\x57\x5b\x4b\x9f\x29",
20896 .entprb = (unsigned char *)
20897 "\x4f\x31\xd2\xeb\xac\xfa\xa8\xe2\x01\x7d\xf3\xbd"
20898 "\x42\xbd\x20\xa0\x30\x65\x74\xd5\x5d\xd2\xad\xa4"
20899 "\xa9\xeb\x1f\x4d\xf6\xfd\xb8\x26",
20900 .entprlen = 32,
20901 .expected = (unsigned char *)
20902 "\xf6\x13\x05\xcb\x83\x60\x16\x42\x49\x1d\xc6\x25"
20903 "\x3b\x8c\x31\xa3\xbe\x8b\xbd\x1c\xe2\xec\x1d\xde"
20904 "\xbb\xbf\xa1\xac\xa8\x9f\x50\xce\x69\xce\xef\xd5"
20905 "\xd6\xf2\xef\x6a\xf7\x81\x38\xdf\xbc\xa7\x5a\xb9"
20906 "\xb2\x42\x65\xab\xe4\x86\x8d\x2d\x9d\x59\x99\x2c"
20907 "\x5a\x0d\x71\x55\x98\xa4\x45\xc2\x8d\xdb\x05\x5e"
20908 "\x50\x21\xf7\xcd\xe8\x98\x43\xce\x57\x74\x63\x4c"
20909 "\xf3\xb1\xa5\x14\x1e\x9e\x01\xeb\x54\xd9\x56\xae"
20910 "\xbd\xb6\x6f\x1a\x47\x6b\x3b\x44\xe4\xa2\xe9\x3c"
20911 "\x6c\x83\x12\x30\xb8\x78\x7f\x8e\x54\x82\xd4\xfe"
20912 "\x90\x35\x0d\x4c\x4d\x85\xe7\x13",
20913 .expectedlen = 128,
20914 .addtla = NULL,
20915 .addtlb = NULL,
20916 .addtllen = 0,
20917 .pers = (unsigned char *)
20918 "\xa5\xbf\xac\x4f\x71\xa1\xbb\x67\x94\xc6\x50\xc7"
20919 "\x2a\x45\x9e\x10\xa8\xed\xf7\x52\x4f\xfe\x21\x90"
20920 "\xa4\x1b\xe1\xe2\x53\xcc\x61\x47",
20921 .perslen = 32,
20922 }, {
20923 .entropy = (unsigned char *)
20924 "\xb6\xc1\x8d\xdf\x99\x54\xbe\x95\x10\x48\xd9\xf6"
20925 "\xd7\x48\xa8\x73\x2d\x74\xde\x1e\xde\x57\x7e\xf4"
20926 "\x7b\x7b\x64\xef\x88\x7a\xa8\x10\x4b\xe1\xc1\x87"
20927 "\xbb\x0b\xe1\x39\x39\x50\xaf\x68\x9c\xa2\xbf\x5e",
20928 .entropylen = 48,
20929 .entpra = (unsigned char *)
20930 "\xdc\x81\x0a\x01\x58\xa7\x2e\xce\xee\x48\x8c\x7c"
20931 "\x77\x9e\x3c\xf1\x17\x24\x7a\xbb\xab\x9f\xca\x12"
20932 "\x19\xaf\x97\x2d\x5f\xf9\xff\xfc",
20933 .entprb = (unsigned char *)
20934 "\xaf\xfc\x4f\x98\x8b\x93\x95\xc1\xb5\x8b\x7f\x73"
20935 "\x6d\xa6\xbe\x6d\x33\xeb\x2c\x82\xb1\xaf\xc1\xb6"
20936 "\xb6\x05\xe2\x44\xaa\xfd\xe7\xdb",
20937 .entprlen = 32,
20938 .expected = (unsigned char *)
20939 "\x51\x79\xde\x1c\x0f\x58\xf3\xf4\xc9\x57\x2e\x31"
20940 "\xa7\x09\xa1\x53\x64\x63\xa2\xc5\x1d\x84\x88\x65"
20941 "\x01\x1b\xc6\x16\x3c\x49\x5b\x42\x8e\x53\xf5\x18"
20942 "\xad\x94\x12\x0d\x4f\x55\xcc\x45\x5c\x98\x0f\x42"
20943 "\x28\x2f\x47\x11\xf9\xc4\x01\x97\x6b\xa0\x94\x50"
20944 "\xa9\xd1\x5e\x06\x54\x3f\xdf\xbb\xc4\x98\xee\x8b"
20945 "\xba\xa9\xfa\x49\xee\x1d\xdc\xfb\x50\xf6\x51\x9f"
20946 "\x6c\x4a\x9a\x6f\x63\xa2\x7d\xad\xaf\x3a\x24\xa0"
20947 "\xd9\x9f\x07\xeb\x15\xee\x26\xe0\xd5\x63\x39\xda"
20948 "\x3c\x59\xd6\x33\x6c\x02\xe8\x05\x71\x46\x68\x44"
20949 "\x63\x4a\x68\x72\xe9\xf5\x55\xfe",
20950 .expectedlen = 128,
20951 .addtla = (unsigned char *)
20952 "\x15\x20\x2f\xf6\x98\x28\x63\xa2\xc4\x4e\xbb\x6c"
20953 "\xb2\x25\x92\x61\x79\xc9\x22\xc4\x61\x54\x96\xff"
20954 "\x4a\x85\xca\x80\xfe\x0d\x1c\xd0",
20955 .addtlb = (unsigned char *)
20956 "\xde\x29\x8e\x03\x42\x61\xa3\x28\x5e\xc8\x80\xc2"
20957 "\x6d\xbf\xad\x13\xe1\x8d\x2a\xc7\xe8\xc7\x18\x89"
20958 "\x42\x58\x9e\xd6\xcc\xad\x7b\x1e",
20959 .addtllen = 32,
20960 .pers = (unsigned char *)
20961 "\x84\xc3\x73\x9e\xce\xb3\xbc\x89\xf7\x62\xb3\xe1"
20962 "\xd7\x48\x45\x8a\xa9\xcc\xe9\xed\xd5\x81\x84\x52"
20963 "\x82\x4c\xdc\x19\xb8\xf8\x92\x5c",
20964 .perslen = 32,
20965 },
20966};
20967
20968static struct drbg_testvec drbg_pr_hmac_sha256_tv_template[] = {
20969 {
20970 .entropy = (unsigned char *)
20971 "\x99\x69\xe5\x4b\x47\x03\xff\x31\x78\x5b\x87\x9a"
20972 "\x7e\x5c\x0e\xae\x0d\x3e\x30\x95\x59\xe9\xfe\x96"
20973 "\xb0\x67\x6d\x49\xd5\x91\xea\x4d\x07\xd2\x0d\x46"
20974 "\xd0\x64\x75\x7d\x30\x23\xca\xc2\x37\x61\x27\xab",
20975 .entropylen = 48,
20976 .entpra = (unsigned char *)
20977 "\xc6\x0f\x29\x99\x10\x0f\x73\x8c\x10\xf7\x47\x92"
20978 "\x67\x6a\x3f\xc4\xa2\x62\xd1\x37\x21\x79\x80\x46"
20979 "\xe2\x9a\x29\x51\x81\x56\x9f\x54",
20980 .entprb = (unsigned char *)
20981 "\xc1\x1d\x45\x24\xc9\x07\x1b\xd3\x09\x60\x15\xfc"
20982 "\xf7\xbc\x24\xa6\x07\xf2\x2f\xa0\x65\xc9\x37\x65"
20983 "\x8a\x2a\x77\xa8\x69\x90\x89\xf4",
20984 .entprlen = 32,
20985 .expected = (unsigned char *)
20986 "\xab\xc0\x15\x85\x60\x94\x80\x3a\x93\x8d\xff\xd2"
20987 "\x0d\xa9\x48\x43\x87\x0e\xf9\x35\xb8\x2c\xfe\xc1"
20988 "\x77\x06\xb8\xf5\x51\xb8\x38\x50\x44\x23\x5d\xd4"
20989 "\x4b\x59\x9f\x94\xb3\x9b\xe7\x8d\xd4\x76\xe0\xcf"
20990 "\x11\x30\x9c\x99\x5a\x73\x34\xe0\xa7\x8b\x37\xbc"
20991 "\x95\x86\x23\x50\x86\xfa\x3b\x63\x7b\xa9\x1c\xf8"
20992 "\xfb\x65\xef\xa2\x2a\x58\x9c\x13\x75\x31\xaa\x7b"
20993 "\x2d\x4e\x26\x07\xaa\xc2\x72\x92\xb0\x1c\x69\x8e"
20994 "\x6e\x01\xae\x67\x9e\xb8\x7c\x01\xa8\x9c\x74\x22"
20995 "\xd4\x37\x2d\x6d\x75\x4a\xba\xbb\x4b\xf8\x96\xfc"
20996 "\xb1\xcd\x09\xd6\x92\xd0\x28\x3f",
20997 .expectedlen = 128,
20998 .addtla = NULL,
20999 .addtlb = NULL,
21000 .addtllen = 0,
21001 .pers = NULL,
21002 .perslen = 0,
21003 }, {
21004 .entropy = (unsigned char *)
21005 "\xb9\x1f\xe9\xef\xdd\x9b\x7d\x20\xb6\xec\xe0\x2f"
21006 "\xdb\x76\x24\xce\x41\xc8\x3a\x4a\x12\x7f\x3e\x2f"
21007 "\xae\x05\x99\xea\xb5\x06\x71\x0d\x0c\x4c\xb4\x05"
21008 "\x26\xc6\xbd\xf5\x7f\x2a\x3d\xf2\xb5\x49\x7b\xda",
21009 .entropylen = 48,
21010 .entpra = (unsigned char *)
21011 "\xef\x67\x50\x9c\xa7\x7d\xdf\xb7\x2d\x81\x01\xa4"
21012 "\x62\x81\x6a\x69\x5b\xb3\x37\x45\xa7\x34\x8e\x26"
21013 "\x46\xd9\x26\xa2\x19\xd4\x94\x43",
21014 .entprb = (unsigned char *)
21015 "\x97\x75\x53\x53\xba\xb4\xa6\xb2\x91\x60\x71\x79"
21016 "\xd1\x6b\x4a\x24\x9a\x34\x66\xcc\x33\xab\x07\x98"
21017 "\x51\x78\x72\xb2\x79\xfd\x2c\xff",
21018 .entprlen = 32,
21019 .expected = (unsigned char *)
21020 "\x9c\xdc\x63\x8a\x19\x23\x22\x66\x0c\xc5\xb9\xd7"
21021 "\xfb\x2a\xb0\x31\xe3\x8a\x36\xa8\x5a\xa8\x14\xda"
21022 "\x1e\xa9\xcc\xfe\xb8\x26\x44\x83\x9f\xf6\xff\xaa"
21023 "\xc8\x98\xb8\x30\x35\x3b\x3d\x36\xd2\x49\xd4\x40"
21024 "\x62\x0a\x65\x10\x76\x55\xef\xc0\x95\x9c\xa7\xda"
21025 "\x3f\xcf\xb7\x7b\xc6\xe1\x28\x52\xfc\x0c\xe2\x37"
21026 "\x0d\x83\xa7\x51\x4b\x31\x47\x3c\xe1\x3c\xae\x70"
21027 "\x01\xc8\xa3\xd3\xc2\xac\x77\x9c\xd1\x68\x77\x9b"
21028 "\x58\x27\x3b\xa5\x0f\xc2\x7a\x8b\x04\x65\x62\xd5"
21029 "\xe8\xd6\xfe\x2a\xaf\xd3\xd3\xfe\xbd\x18\xfb\xcd"
21030 "\xcd\x66\xb5\x01\x69\x66\xa0\x3c",
21031 .expectedlen = 128,
21032 .addtla = (unsigned char *)
21033 "\x17\xc1\x56\xcb\xcc\x50\xd6\x03\x7d\x45\x76\xa3"
21034 "\x75\x76\xc1\x4a\x66\x1b\x2e\xdf\xb0\x2e\x7d\x56"
21035 "\x6d\x99\x3b\xc6\x58\xda\x03\xf6",
21036 .addtlb = (unsigned char *)
21037 "\x7c\x7b\x4a\x4b\x32\x5e\x6f\x67\x34\xf5\x21\x4c"
21038 "\xf9\x96\xf9\xbf\x1c\x8c\x81\xd3\x9b\x60\x6a\x44"
21039 "\xc6\x03\xa2\xfb\x13\x20\x19\xb7",
21040 .addtllen = 32,
21041 .pers = NULL,
21042 .perslen = 0,
21043 }, {
21044 .entropy = (unsigned char *)
21045 "\x13\x54\x96\xfc\x1b\x7d\x28\xf3\x18\xc9\xa7\x89"
21046 "\xb6\xb3\xc8\x72\xac\x00\xd4\x59\x36\x25\x05\xaf"
21047 "\xa5\xdb\x96\xcb\x3c\x58\x46\x87\xa5\xaa\xbf\x20"
21048 "\x3b\xfe\x23\x0e\xd1\xc7\x41\x0f\x3f\xc9\xb3\x67",
21049 .entropylen = 48,
21050 .entpra = (unsigned char *)
21051 "\xe2\xbd\xb7\x48\x08\x06\xf3\xe1\x93\x3c\xac\x79"
21052 "\xa7\x2b\x11\xda\xe3\x2e\xe1\x91\xa5\x02\x19\x57"
21053 "\x20\x28\xad\xf2\x60\xd7\xcd\x45",
21054 .entprb = (unsigned char *)
21055 "\x8b\xd4\x69\xfc\xff\x59\x95\x95\xc6\x51\xde\x71"
21056 "\x68\x5f\xfc\xf9\x4a\xab\xec\x5a\xcb\xbe\xd3\x66"
21057 "\x1f\xfa\x74\xd3\xac\xa6\x74\x60",
21058 .entprlen = 32,
21059 .expected = (unsigned char *)
21060 "\x1f\x9e\xaf\xe4\xd2\x46\xb7\x47\x41\x4c\x65\x99"
21061 "\x01\xe9\x3b\xbb\x83\x0c\x0a\xb0\xc1\x3a\xe2\xb3"
21062 "\x31\x4e\xeb\x93\x73\xee\x0b\x26\xc2\x63\xa5\x75"
21063 "\x45\x99\xd4\x5c\x9f\xa1\xd4\x45\x87\x6b\x20\x61"
21064 "\x40\xea\x78\xa5\x32\xdf\x9e\x66\x17\xaf\xb1\x88"
21065 "\x9e\x2e\x23\xdd\xc1\xda\x13\x97\x88\xa5\xb6\x5e"
21066 "\x90\x14\x4e\xef\x13\xab\x5c\xd9\x2c\x97\x9e\x7c"
21067 "\xd7\xf8\xce\xea\x81\xf5\xcd\x71\x15\x49\x44\xce"
21068 "\x83\xb6\x05\xfb\x7d\x30\xb5\x57\x2c\x31\x4f\xfc"
21069 "\xfe\x80\xb6\xc0\x13\x0c\x5b\x9b\x2e\x8f\x3d\xfc"
21070 "\xc2\xa3\x0c\x11\x1b\x80\x5f\xf3",
21071 .expectedlen = 128,
21072 .addtla = NULL,
21073 .addtlb = NULL,
21074 .addtllen = 0,
21075 .pers = (unsigned char *)
21076 "\x64\xb6\xfc\x60\xbc\x61\x76\x23\x6d\x3f\x4a\x0f"
21077 "\xe1\xb4\xd5\x20\x9e\x70\xdd\x03\x53\x6d\xbf\xce"
21078 "\xcd\x56\x80\xbc\xb8\x15\xc8\xaa",
21079 .perslen = 32,
21080 }, {
21081 .entropy = (unsigned char *)
21082 "\xc7\xcc\xbc\x67\x7e\x21\x66\x1e\x27\x2b\x63\xdd"
21083 "\x3a\x78\xdc\xdf\x66\x6d\x3f\x24\xae\xcf\x37\x01"
21084 "\xa9\x0d\x89\x8a\xa7\xdc\x81\x58\xae\xb2\x10\x15"
21085 "\x7e\x18\x44\x6d\x13\xea\xdf\x37\x85\xfe\x81\xfb",
21086 .entropylen = 48,
21087 .entpra = (unsigned char *)
21088 "\x7b\xa1\x91\x5b\x3c\x04\xc4\x1b\x1d\x19\x2f\x1a"
21089 "\x18\x81\x60\x3c\x6c\x62\x91\xb7\xe9\xf5\xcb\x96"
21090 "\xbb\x81\x6a\xcc\xb5\xae\x55\xb6",
21091 .entprb = (unsigned char *)
21092 "\x99\x2c\xc7\x78\x7e\x3b\x88\x12\xef\xbe\xd3\xd2"
21093 "\x7d\x2a\xa5\x86\xda\x8d\x58\x73\x4a\x0a\xb2\x2e"
21094 "\xbb\x4c\x7e\xe3\x9a\xb6\x81\xc1",
21095 .entprlen = 32,
21096 .expected = (unsigned char *)
21097 "\x95\x6f\x95\xfc\x3b\xb7\xfe\x3e\xd0\x4e\x1a\x14"
21098 "\x6c\x34\x7f\x7b\x1d\x0d\x63\x5e\x48\x9c\x69\xe6"
21099 "\x46\x07\xd2\x87\xf3\x86\x52\x3d\x98\x27\x5e\xd7"
21100 "\x54\xe7\x75\x50\x4f\xfb\x4d\xfd\xac\x2f\x4b\x77"
21101 "\xcf\x9e\x8e\xcc\x16\xa2\x24\xcd\x53\xde\x3e\xc5"
21102 "\x55\x5d\xd5\x26\x3f\x89\xdf\xca\x8b\x4e\x1e\xb6"
21103 "\x88\x78\x63\x5c\xa2\x63\x98\x4e\x6f\x25\x59\xb1"
21104 "\x5f\x2b\x23\xb0\x4b\xa5\x18\x5d\xc2\x15\x74\x40"
21105 "\x59\x4c\xb4\x1e\xcf\x9a\x36\xfd\x43\xe2\x03\xb8"
21106 "\x59\x91\x30\x89\x2a\xc8\x5a\x43\x23\x7c\x73\x72"
21107 "\xda\x3f\xad\x2b\xba\x00\x6b\xd1",
21108 .expectedlen = 128,
21109 .addtla = (unsigned char *)
21110 "\x18\xe8\x17\xff\xef\x39\xc7\x41\x5c\x73\x03\x03"
21111 "\xf6\x3d\xe8\x5f\xc8\xab\xe4\xab\x0f\xad\xe8\xd6"
21112 "\x86\x88\x55\x28\xc1\x69\xdd\x76",
21113 .addtlb = (unsigned char *)
21114 "\xac\x07\xfc\xbe\x87\x0e\xd3\xea\x1f\x7e\xb8\xe7"
21115 "\x9d\xec\xe8\xe7\xbc\xf3\x18\x25\x77\x35\x4a\xaa"
21116 "\x00\x99\x2a\xdd\x0a\x00\x50\x82",
21117 .addtllen = 32,
21118 .pers = (unsigned char *)
21119 "\xbc\x55\xab\x3c\xf6\x52\xb0\x11\x3d\x7b\x90\xb8"
21120 "\x24\xc9\x26\x4e\x5a\x1e\x77\x0d\x3d\x58\x4a\xda"
21121 "\xd1\x81\xe9\xf8\xeb\x30\x8f\x6f",
21122 .perslen = 32,
21123 },
21124};
21125
21126static struct drbg_testvec drbg_pr_ctr_aes128_tv_template[] = {
21127 {
21128 .entropy = (unsigned char *)
21129 "\xd1\x44\xc6\x61\x81\x6d\xca\x9d\x15\x28\x8a\x42"
21130 "\x94\xd7\x28\x9c\x43\x77\x19\x29\x1a\x6d\xc3\xa2",
21131 .entropylen = 24,
21132 .entpra = (unsigned char *)
21133 "\x96\xd8\x9e\x45\x32\xc9\xd2\x08\x7a\x6d\x97\x15"
21134 "\xb4\xec\x80\xb1",
21135 .entprb = (unsigned char *)
21136 "\x8b\xb6\x72\xb5\x24\x0b\x98\x65\x95\x95\xe9\xc9"
21137 "\x28\x07\xeb\xc2",
21138 .entprlen = 16,
21139 .expected = (unsigned char *)
21140 "\x70\x19\xd0\x4c\x45\x78\xd6\x68\xa9\x9a\xaa\xfe"
21141 "\xc1\xdf\x27\x9a\x1c\x0d\x0d\xf7\x24\x75\x46\xcc"
21142 "\x77\x6b\xdf\x89\xc6\x94\xdc\x74\x50\x10\x70\x18"
21143 "\x9b\xdc\x96\xb4\x89\x23\x40\x1a\xce\x09\x87\xce"
21144 "\xd2\xf3\xd5\xe4\x51\x67\x74\x11\x5a\xcc\x8b\x3b"
21145 "\x8a\xf1\x23\xa8",
21146 .expectedlen = 64,
21147 .addtla = NULL,
21148 .addtlb = NULL,
21149 .addtllen = 0,
21150 .pers = NULL,
21151 .perslen = 0,
21152 }, {
21153 .entropy = (unsigned char *)
21154 "\x8e\x83\xe0\xeb\x37\xea\x3e\x53\x5e\x17\x6e\x77"
21155 "\xbd\xb1\x53\x90\xfc\xdc\xc1\x3c\x9a\x88\x22\x94",
21156 .entropylen = 24,
21157 .entpra = (unsigned char *)
21158 "\x6a\x85\xe7\x37\xc8\xf1\x04\x31\x98\x4f\xc8\x73"
21159 "\x67\xd1\x08\xf8",
21160 .entprb = (unsigned char *)
21161 "\xd7\xa4\x68\xe2\x12\x74\xc3\xd9\xf1\xb7\x05\xbc"
21162 "\xd4\xba\x04\x58",
21163 .entprlen = 16,
21164 .expected = (unsigned char *)
21165 "\x78\xd6\xa6\x70\xff\xd1\x82\xf5\xa2\x88\x7f\x6d"
21166 "\x3d\x8c\x39\xb1\xa8\xcb\x2c\x91\xab\x14\x7e\xbc"
21167 "\x95\x45\x9f\x24\xb8\x20\xac\x21\x23\xdb\x72\xd7"
21168 "\x12\x8d\x48\x95\xf3\x19\x0c\x43\xc6\x19\x45\xfc"
21169 "\x8b\xac\x40\x29\x73\x00\x03\x45\x5e\x12\xff\x0c"
21170 "\xc1\x02\x41\x82",
21171 .expectedlen = 64,
21172 .addtla = (unsigned char *)
21173 "\xa2\xd9\x38\xcf\x8b\x29\x67\x5b\x65\x62\x6f\xe8"
21174 "\xeb\xb3\x01\x76",
21175 .addtlb = (unsigned char *)
21176 "\x59\x63\x1e\x81\x8a\x14\xa8\xbb\xa1\xb8\x41\x25"
21177 "\xd0\x7f\xcc\x43",
21178 .addtllen = 16,
21179 .pers = NULL,
21180 .perslen = 0,
21181 }, {
21182 .entropy = (unsigned char *)
21183 "\x04\xd9\x49\xa6\xdc\xe8\x6e\xbb\xf1\x08\x77\x2b"
21184 "\x9e\x08\xca\x92\x65\x16\xda\x99\xa2\x59\xf3\xe8",
21185 .entropylen = 24,
21186 .entpra = (unsigned char *)
21187 "\x38\x7e\x3f\x6b\x51\x70\x7b\x20\xec\x53\xd0\x66"
21188 "\xc3\x0f\xe3\xb0",
21189 .entprb = (unsigned char *)
21190 "\xe0\x86\xa6\xaa\x5f\x72\x2f\xad\xf7\xef\x06\xb8"
21191 "\xd6\x9c\x9d\xe8",
21192 .entprlen = 16,
21193 .expected = (unsigned char *)
21194 "\xc9\x0a\xaf\x85\x89\x71\x44\x66\x4f\x25\x0b\x2b"
21195 "\xde\xd8\xfa\xff\x52\x5a\x1b\x32\x5e\x41\x7a\x10"
21196 "\x1f\xef\x1e\x62\x23\xe9\x20\x30\xc9\x0d\xad\x69"
21197 "\xb4\x9c\x5b\xf4\x87\x42\xd5\xae\x5e\x5e\x43\xcc"
21198 "\xd9\xfd\x0b\x93\x4a\xe3\xd4\x06\x37\x36\x0f\x3f"
21199 "\x72\x82\x0c\xcf",
21200 .expectedlen = 64,
21201 .addtla = NULL,
21202 .addtlb = NULL,
21203 .addtllen = 0,
21204 .pers = (unsigned char *)
21205 "\xbf\xa4\x9a\x8f\x7b\xd8\xb1\x7a\x9d\xfa\x45\xed"
21206 "\x21\x52\xb3\xad",
21207 .perslen = 16,
21208 }, {
21209 .entropy = (unsigned char *)
21210 "\x92\x89\x8f\x31\xfa\x1c\xff\x6d\x18\x2f\x26\x06"
21211 "\x43\xdf\xf8\x18\xc2\xa4\xd9\x72\xc3\xb9\xb6\x97",
21212 .entropylen = 24,
21213 .entpra = (unsigned char *)
21214 "\x20\x72\x8a\x06\xf8\x6f\x8d\xd4\x41\xe2\x72\xb7"
21215 "\xc4\x2c\xe8\x10",
21216 .entprb = (unsigned char *)
21217 "\x3d\xb0\xf0\x94\xf3\x05\x50\x33\x17\x86\x3e\x22"
21218 "\x08\xf7\xa5\x01",
21219 .entprlen = 16,
21220 .expected = (unsigned char *)
21221 "\x5a\x35\x39\x87\x0f\x4d\x22\xa4\x09\x24\xee\x71"
21222 "\xc9\x6f\xac\x72\x0a\xd6\xf0\x88\x82\xd0\x83\x28"
21223 "\x73\xec\x3f\x93\xd8\xab\x45\x23\xf0\x7e\xac\x45"
21224 "\x14\x5e\x93\x9f\xb1\xd6\x76\x43\x3d\xb6\xe8\x08"
21225 "\x88\xf6\xda\x89\x08\x77\x42\xfe\x1a\xf4\x3f\xc4"
21226 "\x23\xc5\x1f\x68",
21227 .expectedlen = 64,
21228 .addtla = (unsigned char *)
21229 "\x1a\x40\xfa\xe3\xcc\x6c\x7c\xa0\xf8\xda\xba\x59"
21230 "\x23\x6d\xad\x1d",
21231 .addtlb = (unsigned char *)
21232 "\x9f\x72\x76\x6c\xc7\x46\xe5\xed\x2e\x53\x20\x12"
21233 "\xbc\x59\x31\x8c",
21234 .addtllen = 16,
21235 .pers = (unsigned char *)
21236 "\xea\x65\xee\x60\x26\x4e\x7e\xb6\x0e\x82\x68\xc4"
21237 "\x37\x3c\x5c\x0b",
21238 .perslen = 16,
21239 },
21240};
21241
21242/*
21243 * SP800-90A DRBG Test vectors from
21244 * http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgtestvectors.zip
21245 *
21246 * Test vectors for DRBG without prediction resistance. All types of DRBGs
21247 * (Hash, HMAC, CTR) are tested with all permutations of use cases (w/ and
21248 * w/o personalization string, w/ and w/o additional input string).
21249 */
21250static struct drbg_testvec drbg_nopr_sha256_tv_template[] = {
21251 {
21252 .entropy = (unsigned char *)
21253 "\xa6\x5a\xd0\xf3\x45\xdb\x4e\x0e\xff\xe8\x75\xc3"
21254 "\xa2\xe7\x1f\x42\xc7\x12\x9d\x62\x0f\xf5\xc1\x19"
21255 "\xa9\xef\x55\xf0\x51\x85\xe0\xfb\x85\x81\xf9\x31"
21256 "\x75\x17\x27\x6e\x06\xe9\x60\x7d\xdb\xcb\xcc\x2e",
21257 .entropylen = 48,
21258 .expected = (unsigned char *)
21259 "\xd3\xe1\x60\xc3\x5b\x99\xf3\x40\xb2\x62\x82\x64"
21260 "\xd1\x75\x10\x60\xe0\x04\x5d\xa3\x83\xff\x57\xa5"
21261 "\x7d\x73\xa6\x73\xd2\xb8\xd8\x0d\xaa\xf6\xa6\xc3"
21262 "\x5a\x91\xbb\x45\x79\xd7\x3f\xd0\xc8\xfe\xd1\x11"
21263 "\xb0\x39\x13\x06\x82\x8a\xdf\xed\x52\x8f\x01\x81"
21264 "\x21\xb3\xfe\xbd\xc3\x43\xe7\x97\xb8\x7d\xbb\x63"
21265 "\xdb\x13\x33\xde\xd9\xd1\xec\xe1\x77\xcf\xa6\xb7"
21266 "\x1f\xe8\xab\x1d\xa4\x66\x24\xed\x64\x15\xe5\x1c"
21267 "\xcd\xe2\xc7\xca\x86\xe2\x83\x99\x0e\xea\xeb\x91"
21268 "\x12\x04\x15\x52\x8b\x22\x95\x91\x02\x81\xb0\x2d"
21269 "\xd4\x31\xf4\xc9\xf7\x04\x27\xdf",
21270 .expectedlen = 128,
21271 .addtla = NULL,
21272 .addtlb = NULL,
21273 .addtllen = 0,
21274 .pers = NULL,
21275 .perslen = 0,
21276 }, {
21277 .entropy = (unsigned char *)
21278 "\x73\xd3\xfb\xa3\x94\x5f\x2b\x5f\xb9\x8f\xf6\x9c"
21279 "\x8a\x93\x17\xae\x19\xc3\x4c\xc3\xd6\xca\xa3\x2d"
21280 "\x16\xfc\x42\xd2\x2d\xd5\x6f\x56\xcc\x1d\x30\xff"
21281 "\x9e\x06\x3e\x09\xce\x58\xe6\x9a\x35\xb3\xa6\x56",
21282 .entropylen = 48,
21283 .expected = (unsigned char *)
21284 "\x71\x7b\x93\x46\x1a\x40\xaa\x35\xa4\xaa\xc5\xe7"
21285 "\x6d\x5b\x5b\x8a\xa0\xdf\x39\x7d\xae\x71\x58\x5b"
21286 "\x3c\x7c\xb4\xf0\x89\xfa\x4a\x8c\xa9\x5c\x54\xc0"
21287 "\x40\xdf\xbc\xce\x26\x81\x34\xf8\xba\x7d\x1c\xe8"
21288 "\xad\x21\xe0\x74\xcf\x48\x84\x30\x1f\xa1\xd5\x4f"
21289 "\x81\x42\x2f\xf4\xdb\x0b\x23\xf8\x73\x27\xb8\x1d"
21290 "\x42\xf8\x44\x58\xd8\x5b\x29\x27\x0a\xf8\x69\x59"
21291 "\xb5\x78\x44\xeb\x9e\xe0\x68\x6f\x42\x9a\xb0\x5b"
21292 "\xe0\x4e\xcb\x6a\xaa\xe2\xd2\xd5\x33\x25\x3e\xe0"
21293 "\x6c\xc7\x6a\x07\xa5\x03\x83\x9f\xe2\x8b\xd1\x1c"
21294 "\x70\xa8\x07\x59\x97\xeb\xf6\xbe",
21295 .expectedlen = 128,
21296 .addtla = (unsigned char *)
21297 "\xf4\xd5\x98\x3d\xa8\xfc\xfa\x37\xb7\x54\x67\x73"
21298 "\xc7\xc3\xdd\x47\x34\x71\x02\x5d\xc1\xa0\xd3\x10"
21299 "\xc1\x8b\xbd\xf5\x66\x34\x6f\xdd",
21300 .addtlb = (unsigned char *)
21301 "\xf7\x9e\x6a\x56\x0e\x73\xe9\xd9\x7a\xd1\x69\xe0"
21302 "\x6f\x8c\x55\x1c\x44\xd1\xce\x6f\x28\xcc\xa4\x4d"
21303 "\xa8\xc0\x85\xd1\x5a\x0c\x59\x40",
21304 .addtllen = 32,
21305 .pers = NULL,
21306 .perslen = 0,
21307 }, {
21308 .entropy = (unsigned char *)
21309 "\x2a\x85\xa9\x8b\xd0\xda\x83\xd6\xad\xab\x9f\xbb"
21310 "\x54\x31\x15\x95\x1c\x4d\x49\x9f\x6a\x15\xf6\xe4"
21311 "\x15\x50\x88\x06\x29\x0d\xed\x8d\xb9\x6f\x96\xe1"
21312 "\x83\x9f\xf7\x88\xda\x84\xbf\x44\x28\xd9\x1d\xaa",
21313 .entropylen = 48,
21314 .expected = (unsigned char *)
21315 "\x2d\x55\xde\xc9\xed\x05\x47\x07\x3d\x04\xfc\x28"
21316 "\x0f\x92\xf0\x4d\xd8\x00\x32\x47\x0a\x1b\x1c\x4b"
21317 "\xef\xd9\x97\xa1\x17\x67\xda\x26\x6c\xfe\x76\x46"
21318 "\x6f\xbc\x6d\x82\x4e\x83\x8a\x98\x66\x6c\x01\xb6"
21319 "\xe6\x64\xe0\x08\x10\x6f\xd3\x5d\x90\xe7\x0d\x72"
21320 "\xa6\xa7\xe3\xbb\x98\x11\x12\x56\x23\xc2\x6d\xd1"
21321 "\xc8\xa8\x7a\x39\xf3\x34\xe3\xb8\xf8\x66\x00\x77"
21322 "\x7d\xcf\x3c\x3e\xfa\xc9\x0f\xaf\xe0\x24\xfa\xe9"
21323 "\x84\xf9\x6a\x01\xf6\x35\xdb\x5c\xab\x2a\xef\x4e"
21324 "\xac\xab\x55\xb8\x9b\xef\x98\x68\xaf\x51\xd8\x16"
21325 "\xa5\x5e\xae\xf9\x1e\xd2\xdb\xe6",
21326 .expectedlen = 128,
21327 .addtla = NULL,
21328 .addtlb = NULL,
21329 .addtllen = 0,
21330 .pers = (unsigned char *)
21331 "\xa8\x80\xec\x98\x30\x98\x15\xd2\xc6\xc4\x68\xf1"
21332 "\x3a\x1c\xbf\xce\x6a\x40\x14\xeb\x36\x99\x53\xda"
21333 "\x57\x6b\xce\xa4\x1c\x66\x3d\xbc",
21334 .perslen = 32,
21335 }, {
21336 .entropy = (unsigned char *)
21337 "\x69\xed\x82\xa9\xc5\x7b\xbf\xe5\x1d\x2f\xcb\x7a"
21338 "\xd3\x50\x7d\x96\xb4\xb9\x2b\x50\x77\x51\x27\x74"
21339 "\x33\x74\xba\xf1\x30\xdf\x8e\xdf\x87\x1d\x87\xbc"
21340 "\x96\xb2\xc3\xa7\xed\x60\x5e\x61\x4e\x51\x29\x1a",
21341 .entropylen = 48,
21342 .expected = (unsigned char *)
21343 "\xa5\x71\x24\x31\x11\xfe\x13\xe1\xa8\x24\x12\xfb"
21344 "\x37\xa1\x27\xa5\xab\x77\xa1\x9f\xae\x8f\xaf\x13"
21345 "\x93\xf7\x53\x85\x91\xb6\x1b\xab\xd4\x6b\xea\xb6"
21346 "\xef\xda\x4c\x90\x6e\xef\x5f\xde\xe1\xc7\x10\x36"
21347 "\xd5\x67\xbd\x14\xb6\x89\x21\x0c\xc9\x92\x65\x64"
21348 "\xd0\xf3\x23\xe0\x7f\xd1\xe8\x75\xc2\x85\x06\xea"
21349 "\xca\xc0\xcb\x79\x2d\x29\x82\xfc\xaa\x9a\xc6\x95"
21350 "\x7e\xdc\x88\x65\xba\xec\x0e\x16\x87\xec\xa3\x9e"
21351 "\xd8\x8c\x80\xab\x3a\x64\xe0\xcb\x0e\x45\x98\xdd"
21352 "\x7c\x6c\x6c\x26\x11\x13\xc8\xce\xa9\x47\xa6\x06"
21353 "\x57\xa2\x66\xbb\x2d\x7f\xf3\xc1",
21354 .expectedlen = 128,
21355 .addtla = (unsigned char *)
21356 "\x74\xd3\x6d\xda\xe8\xd6\x86\x5f\x63\x01\xfd\xf2"
21357 "\x7d\x06\x29\x6d\x94\xd1\x66\xf0\xd2\x72\x67\x4e"
21358 "\x77\xc5\x3d\x9e\x03\xe3\xa5\x78",
21359 .addtlb = (unsigned char *)
21360 "\xf6\xb6\x3d\xf0\x7c\x26\x04\xc5\x8b\xcd\x3e\x6a"
21361 "\x9f\x9c\x3a\x2e\xdb\x47\x87\xe5\x8e\x00\x5e\x2b"
21362 "\x74\x7f\xa6\xf6\x80\xcd\x9b\x21",
21363 .addtllen = 32,
21364 .pers = (unsigned char *)
21365 "\x74\xa6\xe0\x08\xf9\x27\xee\x1d\x6e\x3c\x28\x20"
21366 "\x87\xdd\xd7\x54\x31\x47\x78\x4b\xe5\x6d\xa3\x73"
21367 "\xa9\x65\xb1\x10\xc1\xdc\x77\x7c",
21368 .perslen = 32,
21369 },
21370};
21371
21372static struct drbg_testvec drbg_nopr_hmac_sha256_tv_template[] = {
21373 {
21374 .entropy = (unsigned char *)
21375 "\xca\x85\x19\x11\x34\x93\x84\xbf\xfe\x89\xde\x1c"
21376 "\xbd\xc4\x6e\x68\x31\xe4\x4d\x34\xa4\xfb\x93\x5e"
21377 "\xe2\x85\xdd\x14\xb7\x1a\x74\x88\x65\x9b\xa9\x6c"
21378 "\x60\x1d\xc6\x9f\xc9\x02\x94\x08\x05\xec\x0c\xa8",
21379 .entropylen = 48,
21380 .expected = (unsigned char *)
21381 "\xe5\x28\xe9\xab\xf2\xde\xce\x54\xd4\x7c\x7e\x75"
21382 "\xe5\xfe\x30\x21\x49\xf8\x17\xea\x9f\xb4\xbe\xe6"
21383 "\xf4\x19\x96\x97\xd0\x4d\x5b\x89\xd5\x4f\xbb\x97"
21384 "\x8a\x15\xb5\xc4\x43\xc9\xec\x21\x03\x6d\x24\x60"
21385 "\xb6\xf7\x3e\xba\xd0\xdc\x2a\xba\x6e\x62\x4a\xbf"
21386 "\x07\x74\x5b\xc1\x07\x69\x4b\xb7\x54\x7b\xb0\x99"
21387 "\x5f\x70\xde\x25\xd6\xb2\x9e\x2d\x30\x11\xbb\x19"
21388 "\xd2\x76\x76\xc0\x71\x62\xc8\xb5\xcc\xde\x06\x68"
21389 "\x96\x1d\xf8\x68\x03\x48\x2c\xb3\x7e\xd6\xd5\xc0"
21390 "\xbb\x8d\x50\xcf\x1f\x50\xd4\x76\xaa\x04\x58\xbd"
21391 "\xab\xa8\x06\xf4\x8b\xe9\xdc\xb8",
21392 .expectedlen = 128,
21393 .addtla = NULL,
21394 .addtlb = NULL,
21395 .addtllen = 0,
21396 .pers = NULL,
21397 .perslen = 0,
21398 }, {
21399 .entropy = (unsigned char *)
21400 "\xf9\x7a\x3c\xfd\x91\xfa\xa0\x46\xb9\xe6\x1b\x94"
21401 "\x93\xd4\x36\xc4\x93\x1f\x60\x4b\x22\xf1\x08\x15"
21402 "\x21\xb3\x41\x91\x51\xe8\xff\x06\x11\xf3\xa7\xd4"
21403 "\x35\x95\x35\x7d\x58\x12\x0b\xd1\xe2\xdd\x8a\xed",
21404 .entropylen = 48,
21405 .expected = (unsigned char *)
21406 "\xc6\x87\x1c\xff\x08\x24\xfe\x55\xea\x76\x89\xa5"
21407 "\x22\x29\x88\x67\x30\x45\x0e\x5d\x36\x2d\xa5\xbf"
21408 "\x59\x0d\xcf\x9a\xcd\x67\xfe\xd4\xcb\x32\x10\x7d"
21409 "\xf5\xd0\x39\x69\xa6\x6b\x1f\x64\x94\xfd\xf5\xd6"
21410 "\x3d\x5b\x4d\x0d\x34\xea\x73\x99\xa0\x7d\x01\x16"
21411 "\x12\x6d\x0d\x51\x8c\x7c\x55\xba\x46\xe1\x2f\x62"
21412 "\xef\xc8\xfe\x28\xa5\x1c\x9d\x42\x8e\x6d\x37\x1d"
21413 "\x73\x97\xab\x31\x9f\xc7\x3d\xed\x47\x22\xe5\xb4"
21414 "\xf3\x00\x04\x03\x2a\x61\x28\xdf\x5e\x74\x97\xec"
21415 "\xf8\x2c\xa7\xb0\xa5\x0e\x86\x7e\xf6\x72\x8a\x4f"
21416 "\x50\x9a\x8c\x85\x90\x87\x03\x9c",
21417 .expectedlen = 128,
21418 .addtla = (unsigned char *)
21419 "\x51\x72\x89\xaf\xe4\x44\xa0\xfe\x5e\xd1\xa4\x1d"
21420 "\xbb\xb5\xeb\x17\x15\x00\x79\xbd\xd3\x1e\x29\xcf"
21421 "\x2f\xf3\x00\x34\xd8\x26\x8e\x3b",
21422 .addtlb = (unsigned char *)
21423 "\x88\x02\x8d\x29\xef\x80\xb4\xe6\xf0\xfe\x12\xf9"
21424 "\x1d\x74\x49\xfe\x75\x06\x26\x82\xe8\x9c\x57\x14"
21425 "\x40\xc0\xc9\xb5\x2c\x42\xa6\xe0",
21426 .addtllen = 32,
21427 .pers = NULL,
21428 .perslen = 0,
21429 }, {
21430 .entropy = (unsigned char *)
21431 "\x8d\xf0\x13\xb4\xd1\x03\x52\x30\x73\x91\x7d\xdf"
21432 "\x6a\x86\x97\x93\x05\x9e\x99\x43\xfc\x86\x54\x54"
21433 "\x9e\x7a\xb2\x2f\x7c\x29\xf1\x22\xda\x26\x25\xaf"
21434 "\x2d\xdd\x4a\xbc\xce\x3c\xf4\xfa\x46\x59\xd8\x4e",
21435 .entropylen = 48,
21436 .expected = (unsigned char *)
21437 "\xb9\x1c\xba\x4c\xc8\x4f\xa2\x5d\xf8\x61\x0b\x81"
21438 "\xb6\x41\x40\x27\x68\xa2\x09\x72\x34\x93\x2e\x37"
21439 "\xd5\x90\xb1\x15\x4c\xbd\x23\xf9\x74\x52\xe3\x10"
21440 "\xe2\x91\xc4\x51\x46\x14\x7f\x0d\xa2\xd8\x17\x61"
21441 "\xfe\x90\xfb\xa6\x4f\x94\x41\x9c\x0f\x66\x2b\x28"
21442 "\xc1\xed\x94\xda\x48\x7b\xb7\xe7\x3e\xec\x79\x8f"
21443 "\xbc\xf9\x81\xb7\x91\xd1\xbe\x4f\x17\x7a\x89\x07"
21444 "\xaa\x3c\x40\x16\x43\xa5\xb6\x2b\x87\xb8\x9d\x66"
21445 "\xb3\xa6\x0e\x40\xd4\xa8\xe4\xe9\xd8\x2a\xf6\xd2"
21446 "\x70\x0e\x6f\x53\x5c\xdb\x51\xf7\x5c\x32\x17\x29"
21447 "\x10\x37\x41\x03\x0c\xcc\x3a\x56",
21448 .expectedlen = 128,
21449 .addtla = NULL,
21450 .addtlb = NULL,
21451 .addtllen = 0,
21452 .pers = (unsigned char *)
21453 "\xb5\x71\xe6\x6d\x7c\x33\x8b\xc0\x7b\x76\xad\x37"
21454 "\x57\xbb\x2f\x94\x52\xbf\x7e\x07\x43\x7a\xe8\x58"
21455 "\x1c\xe7\xbc\x7c\x3a\xc6\x51\xa9",
21456 .perslen = 32,
21457 }, {
21458 .entropy = (unsigned char *)
21459 "\xc2\xa5\x66\xa9\xa1\x81\x7b\x15\xc5\xc3\xb7\x78"
21460 "\x17\x7a\xc8\x7c\x24\xe7\x97\xbe\x0a\x84\x5f\x11"
21461 "\xc2\xfe\x39\x9d\xd3\x77\x32\xf2\xcb\x18\x94\xeb"
21462 "\x2b\x97\xb3\xc5\x6e\x62\x83\x29\x51\x6f\x86\xec",
21463 .entropylen = 48,
21464 .expected = (unsigned char *)
21465 "\xb3\xa3\x69\x8d\x77\x76\x99\xa0\xdd\x9f\xa3\xf0"
21466 "\xa9\xfa\x57\x83\x2d\x3c\xef\xac\x5d\xf2\x44\x37"
21467 "\xc6\xd7\x3a\x0f\xe4\x10\x40\xf1\x72\x90\x38\xae"
21468 "\xf1\xe9\x26\x35\x2e\xa5\x9d\xe1\x20\xbf\xb7\xb0"
21469 "\x73\x18\x3a\x34\x10\x6e\xfe\xd6\x27\x8f\xf8\xad"
21470 "\x84\x4b\xa0\x44\x81\x15\xdf\xdd\xf3\x31\x9a\x82"
21471 "\xde\x6b\xb1\x1d\x80\xbd\x87\x1a\x9a\xcd\x35\xc7"
21472 "\x36\x45\xe1\x27\x0f\xb9\xfe\x4f\xa8\x8e\xc0\xe4"
21473 "\x65\x40\x9e\xa0\xcb\xa8\x09\xfe\x2f\x45\xe0\x49"
21474 "\x43\xa2\xe3\x96\xbb\xb7\xdd\x2f\x4e\x07\x95\x30"
21475 "\x35\x24\xcc\x9c\xc5\xea\x54\xa1",
21476 .expectedlen = 128,
21477 .addtla = (unsigned char *)
21478 "\x41\x3d\xd8\x3f\xe5\x68\x35\xab\xd4\x78\xcb\x96"
21479 "\x93\xd6\x76\x35\x90\x1c\x40\x23\x9a\x26\x64\x62"
21480 "\xd3\x13\x3b\x83\xe4\x9c\x82\x0b",
21481 .addtlb = (unsigned char *)
21482 "\xd5\xc4\xa7\x1f\x9d\x6d\x95\xa1\xbe\xdf\x0b\xd2"
21483 "\x24\x7c\x27\x7d\x1f\x84\xa4\xe5\x7a\x4a\x88\x25"
21484 "\xb8\x2a\x2d\x09\x7d\xe6\x3e\xf1",
21485 .addtllen = 32,
21486 .pers = (unsigned char *)
21487 "\x13\xce\x4d\x8d\xd2\xdb\x97\x96\xf9\x41\x56\xc8"
21488 "\xe8\xf0\x76\x9b\x0a\xa1\xc8\x2c\x13\x23\xb6\x15"
21489 "\x36\x60\x3b\xca\x37\xc9\xee\x29",
21490 .perslen = 32,
21491 },
21492};
21493
21494static struct drbg_testvec drbg_nopr_ctr_aes192_tv_template[] = {
21495 {
21496 .entropy = (unsigned char *)
21497 "\xc3\x5c\x2f\xa2\xa8\x9d\x52\xa1\x1f\xa3\x2a\xa9"
21498 "\x6c\x95\xb8\xf1\xc9\xa8\xf9\xcb\x24\x5a\x8b\x40"
21499 "\xf3\xa6\xe5\xa7\xfb\xd9\xd3\xc6\x8e\x27\x7b\xa9"
21500 "\xac\x9b\xbb\x00",
21501 .entropylen = 40,
21502 .expected = (unsigned char *)
21503 "\x8c\x2e\x72\xab\xfd\x9b\xb8\x28\x4d\xb7\x9e\x17"
21504 "\xa4\x3a\x31\x46\xcd\x76\x94\xe3\x52\x49\xfc\x33"
21505 "\x83\x91\x4a\x71\x17\xf4\x13\x68\xe6\xd4\xf1\x48"
21506 "\xff\x49\xbf\x29\x07\x6b\x50\x15\xc5\x9f\x45\x79"
21507 "\x45\x66\x2e\x3d\x35\x03\x84\x3f\x4a\xa5\xa3\xdf"
21508 "\x9a\x9d\xf1\x0d",
21509 .expectedlen = 64,
21510 .addtla = NULL,
21511 .addtlb = NULL,
21512 .addtllen = 0,
21513 .pers = NULL,
21514 .perslen = 0,
21515 },
21516};
21517
21518static struct drbg_testvec drbg_nopr_ctr_aes256_tv_template[] = {
21519 {
21520 .entropy = (unsigned char *)
21521 "\x36\x40\x19\x40\xfa\x8b\x1f\xba\x91\xa1\x66\x1f"
21522 "\x21\x1d\x78\xa0\xb9\x38\x9a\x74\xe5\xbc\xcf\xec"
21523 "\xe8\xd7\x66\xaf\x1a\x6d\x3b\x14\x49\x6f\x25\xb0"
21524 "\xf1\x30\x1b\x4f\x50\x1b\xe3\x03\x80\xa1\x37\xeb",
21525 .entropylen = 48,
21526 .expected = (unsigned char *)
21527 "\x58\x62\xeb\x38\xbd\x55\x8d\xd9\x78\xa6\x96\xe6"
21528 "\xdf\x16\x47\x82\xdd\xd8\x87\xe7\xe9\xa6\xc9\xf3"
21529 "\xf1\xfb\xaf\xb7\x89\x41\xb5\x35\xa6\x49\x12\xdf"
21530 "\xd2\x24\xc6\xdc\x74\x54\xe5\x25\x0b\x3d\x97\x16"
21531 "\x5e\x16\x26\x0c\x2f\xaf\x1c\xc7\x73\x5c\xb7\x5f"
21532 "\xb4\xf0\x7e\x1d",
21533 .expectedlen = 64,
21534 .addtla = NULL,
21535 .addtlb = NULL,
21536 .addtllen = 0,
21537 .pers = NULL,
21538 .perslen = 0,
21539 },
21540};
21541
21542static struct drbg_testvec drbg_nopr_ctr_aes128_tv_template[] = {
21543 {
21544 .entropy = (unsigned char *)
21545 "\x87\xe1\xc5\x32\x99\x7f\x57\xa3\x5c\x28\x6d\xe8"
21546 "\x64\xbf\xf2\x64\xa3\x9e\x98\xdb\x6c\x10\x78\x7f",
21547 .entropylen = 24,
21548 .expected = (unsigned char *)
21549 "\x2c\x14\x7e\x24\x11\x9a\xd8\xd4\xb2\xed\x61\xc1"
21550 "\x53\xd0\x50\xc9\x24\xff\x59\x75\x15\xf1\x17\x3a"
21551 "\x3d\xf4\x4b\x2c\x84\x28\xef\x89\x0e\xb9\xde\xf3"
21552 "\xe4\x78\x04\xb2\xfd\x9b\x35\x7f\xe1\x3f\x8a\x3e"
21553 "\x10\xc8\x67\x0a\xf9\xdf\x2d\x6c\x96\xfb\xb2\xb8"
21554 "\xcb\x2d\xd6\xb0",
21555 .expectedlen = 64,
21556 .addtla = NULL,
21557 .addtlb = NULL,
21558 .addtllen = 0,
21559 .pers = NULL,
21560 .perslen = 0,
21561 }, {
21562 .entropy = (unsigned char *)
21563 "\x71\xbd\xce\x35\x42\x7d\x20\xbf\x58\xcf\x17\x74"
21564 "\xce\x72\xd8\x33\x34\x50\x2d\x8f\x5b\x14\xc4\xdd",
21565 .entropylen = 24,
21566 .expected = (unsigned char *)
21567 "\x97\x33\xe8\x20\x12\xe2\x7b\xa1\x46\x8f\xf2\x34"
21568 "\xb3\xc9\xb6\x6b\x20\xb2\x4f\xee\x27\xd8\x0b\x21"
21569 "\x8c\xff\x63\x73\x69\x29\xfb\xf3\x85\xcd\x88\x8e"
21570 "\x43\x2c\x71\x8b\xa2\x55\xd2\x0f\x1d\x7f\xe3\xe1"
21571 "\x2a\xa3\xe9\x2c\x25\x89\xc7\x14\x52\x99\x56\xcc"
21572 "\xc3\xdf\xb3\x81",
21573 .expectedlen = 64,
21574 .addtla = (unsigned char *)
21575 "\x66\xef\x42\xd6\x9a\x8c\x3d\x6d\x4a\x9e\x95\xa6"
21576 "\x91\x4d\x81\x56",
21577 .addtlb = (unsigned char *)
21578 "\xe3\x18\x83\xd9\x4b\x5e\xc4\xcc\xaa\x61\x2f\xbb"
21579 "\x4a\x55\xd1\xc6",
21580 .addtllen = 16,
21581 .pers = NULL,
21582 .perslen = 0,
21583 }, {
21584 .entropy = (unsigned char *)
21585 "\xca\x4b\x1e\xfa\x75\xbd\x69\x36\x38\x73\xb8\xf9"
21586 "\xdb\x4d\x35\x0e\x47\xbf\x6c\x37\x72\xfd\xf7\xa9",
21587 .entropylen = 24,
21588 .expected = (unsigned char *)
21589 "\x59\xc3\x19\x79\x1b\xb1\xf3\x0e\xe9\x34\xae\x6e"
21590 "\x8b\x1f\xad\x1f\x74\xca\x25\x45\x68\xb8\x7f\x75"
21591 "\x12\xf8\xf2\xab\x4c\x23\x01\x03\x05\xe1\x70\xee"
21592 "\x75\xd8\xcb\xeb\x23\x4c\x7a\x23\x6e\x12\x27\xdb"
21593 "\x6f\x7a\xac\x3c\x44\xb7\x87\x4b\x65\x56\x74\x45"
21594 "\x34\x30\x0c\x3d",
21595 .expectedlen = 64,
21596 .addtla = NULL,
21597 .addtlb = NULL,
21598 .addtllen = 0,
21599 .pers = (unsigned char *)
21600 "\xeb\xaa\x60\x2c\x4d\xbe\x33\xff\x1b\xef\xbf\x0a"
21601 "\x0b\xc6\x97\x54",
21602 .perslen = 16,
21603 }, {
21604 .entropy = (unsigned char *)
21605 "\xc0\x70\x1f\x92\x50\x75\x8f\xcd\xf2\xbe\x73\x98"
21606 "\x80\xdb\x66\xeb\x14\x68\xb4\xa5\x87\x9c\x2d\xa6",
21607 .entropylen = 24,
21608 .expected = (unsigned char *)
21609 "\x97\xc0\xc0\xe5\xa0\xcc\xf2\x4f\x33\x63\x48\x8a"
21610 "\xdb\x13\x0a\x35\x89\xbf\x80\x65\x62\xee\x13\x95"
21611 "\x7c\x33\xd3\x7d\xf4\x07\x77\x7a\x2b\x65\x0b\x5f"
21612 "\x45\x5c\x13\xf1\x90\x77\x7f\xc5\x04\x3f\xcc\x1a"
21613 "\x38\xf8\xcd\x1b\xbb\xd5\x57\xd1\x4a\x4c\x2e\x8a"
21614 "\x2b\x49\x1e\x5c",
21615 .expectedlen = 64,
21616 .addtla = (unsigned char *)
21617 "\xf9\x01\xf8\x16\x7a\x1d\xff\xde\x8e\x3c\x83\xe2"
21618 "\x44\x85\xe7\xfe",
21619 .addtlb = (unsigned char *)
21620 "\x17\x1c\x09\x38\xc2\x38\x9f\x97\x87\x60\x55\xb4"
21621 "\x82\x16\x62\x7f",
21622 .addtllen = 16,
21623 .pers = (unsigned char *)
21624 "\x80\x08\xae\xe8\xe9\x69\x40\xc5\x08\x73\xc7\x9f"
21625 "\x8e\xcf\xe0\x02",
21626 .perslen = 16,
21627 },
21628};
21629
20746/* Cast5 test vectors from RFC 2144 */ 21630/* Cast5 test vectors from RFC 2144 */
20747#define CAST5_ENC_TEST_VECTORS 4 21631#define CAST5_ENC_TEST_VECTORS 4
20748#define CAST5_DEC_TEST_VECTORS 4 21632#define CAST5_DEC_TEST_VECTORS 4
@@ -20907,8 +21791,8 @@ static struct cipher_testvec cast5_enc_tv_template[] = {
20907 "\xF5\xBC\x25\xD6\x02\x56\x57\x1C", 21791 "\xF5\xBC\x25\xD6\x02\x56\x57\x1C",
20908 .rlen = 496, 21792 .rlen = 496,
20909 .also_non_np = 1, 21793 .also_non_np = 1,
20910 .np = 2, 21794 .np = 3,
20911 .tap = { 496 - 16, 16 }, 21795 .tap = { 496 - 20, 4, 16 },
20912 }, 21796 },
20913}; 21797};
20914 21798
@@ -21068,8 +21952,8 @@ static struct cipher_testvec cast5_dec_tv_template[] = {
21068 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 21952 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
21069 .rlen = 496, 21953 .rlen = 496,
21070 .also_non_np = 1, 21954 .also_non_np = 1,
21071 .np = 2, 21955 .np = 3,
21072 .tap = { 496 - 16, 16 }, 21956 .tap = { 496 - 20, 4, 16 },
21073 }, 21957 },
21074}; 21958};
21075 21959
@@ -21206,8 +22090,8 @@ static struct cipher_testvec cast5_cbc_enc_tv_template[] = {
21206 "\x1D\x18\x66\x44\x5B\x8F\x14\xEB", 22090 "\x1D\x18\x66\x44\x5B\x8F\x14\xEB",
21207 .rlen = 496, 22091 .rlen = 496,
21208 .also_non_np = 1, 22092 .also_non_np = 1,
21209 .np = 2, 22093 .np = 3,
21210 .tap = { 496 - 16, 16 }, 22094 .tap = { 496 - 20, 4, 16 },
21211 }, 22095 },
21212}; 22096};
21213 22097
@@ -21344,8 +22228,8 @@ static struct cipher_testvec cast5_cbc_dec_tv_template[] = {
21344 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 22228 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
21345 .rlen = 496, 22229 .rlen = 496,
21346 .also_non_np = 1, 22230 .also_non_np = 1,
21347 .np = 2, 22231 .np = 3,
21348 .tap = { 496 - 16, 16 }, 22232 .tap = { 496 - 20, 4, 16 },
21349 }, 22233 },
21350}; 22234};
21351 22235
@@ -21495,8 +22379,8 @@ static struct cipher_testvec cast5_ctr_enc_tv_template[] = {
21495 "\xC0\x0D\x96\xAA\x23\xF8\xFE\x13", 22379 "\xC0\x0D\x96\xAA\x23\xF8\xFE\x13",
21496 .rlen = 496, 22380 .rlen = 496,
21497 .also_non_np = 1, 22381 .also_non_np = 1,
21498 .np = 2, 22382 .np = 3,
21499 .tap = { 496 - 16, 16 }, 22383 .tap = { 496 - 20, 4, 16 },
21500 }, 22384 },
21501}; 22385};
21502 22386
@@ -21646,8 +22530,8 @@ static struct cipher_testvec cast5_ctr_dec_tv_template[] = {
21646 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7", 22530 "\xDC\x50\xE7\x7E\x15\x89\x20\xB7",
21647 .rlen = 496, 22531 .rlen = 496,
21648 .also_non_np = 1, 22532 .also_non_np = 1,
21649 .np = 2, 22533 .np = 3,
21650 .tap = { 496 - 16, 16 }, 22534 .tap = { 496 - 20, 4, 16 },
21651 }, 22535 },
21652}; 22536};
21653 22537
@@ -22805,8 +23689,8 @@ static struct cipher_testvec camellia_enc_tv_template[] = {
22805 "\x33\x1A\xBB\xD3\xA2\x7E\x97\x66", 23689 "\x33\x1A\xBB\xD3\xA2\x7E\x97\x66",
22806 .rlen = 1008, 23690 .rlen = 1008,
22807 .also_non_np = 1, 23691 .also_non_np = 1,
22808 .np = 2, 23692 .np = 3,
22809 .tap = { 1008 - 16, 16 }, 23693 .tap = { 1008 - 20, 4, 16 },
22810 }, 23694 },
22811}; 23695};
22812 23696
@@ -23105,8 +23989,8 @@ static struct cipher_testvec camellia_dec_tv_template[] = {
23105 "\x72\x09\xA0\x14\xAB\x42\xD9\x4D", 23989 "\x72\x09\xA0\x14\xAB\x42\xD9\x4D",
23106 .rlen = 1008, 23990 .rlen = 1008,
23107 .also_non_np = 1, 23991 .also_non_np = 1,
23108 .np = 2, 23992 .np = 3,
23109 .tap = { 1008 - 16, 16 }, 23993 .tap = { 1008 - 20, 4, 16 },
23110 }, 23994 },
23111}; 23995};
23112 23996
@@ -23401,8 +24285,8 @@ static struct cipher_testvec camellia_cbc_enc_tv_template[] = {
23401 "\x70\xC5\xB9\x0B\x3B\x7A\x6E\x6C", 24285 "\x70\xC5\xB9\x0B\x3B\x7A\x6E\x6C",
23402 .rlen = 1008, 24286 .rlen = 1008,
23403 .also_non_np = 1, 24287 .also_non_np = 1,
23404 .np = 2, 24288 .np = 3,
23405 .tap = { 1008 - 16, 16 }, 24289 .tap = { 1008 - 20, 4, 16 },
23406 }, 24290 },
23407}; 24291};
23408 24292
@@ -23697,8 +24581,8 @@ static struct cipher_testvec camellia_cbc_dec_tv_template[] = {
23697 "\x72\x09\xA0\x14\xAB\x42\xD9\x4D", 24581 "\x72\x09\xA0\x14\xAB\x42\xD9\x4D",
23698 .rlen = 1008, 24582 .rlen = 1008,
23699 .also_non_np = 1, 24583 .also_non_np = 1,
23700 .np = 2, 24584 .np = 3,
23701 .tap = { 1008 - 16, 16 }, 24585 .tap = { 1008 - 20, 4, 16 },
23702 }, 24586 },
23703}; 24587};
23704 24588
@@ -25283,8 +26167,8 @@ static struct cipher_testvec camellia_lrw_enc_tv_template[] = {
25283 "\x5a\xa8\x92\x7f\xba\xe6\x0c\x95", 26167 "\x5a\xa8\x92\x7f\xba\xe6\x0c\x95",
25284 .rlen = 512, 26168 .rlen = 512,
25285 .also_non_np = 1, 26169 .also_non_np = 1,
25286 .np = 2, 26170 .np = 3,
25287 .tap = { 512 - 16, 16 }, 26171 .tap = { 512 - 20, 4, 16 },
25288 }, 26172 },
25289}; 26173};
25290 26174
@@ -25536,8 +26420,8 @@ static struct cipher_testvec camellia_lrw_dec_tv_template[] = {
25536 "\x21\xc4\xc2\x75\x67\x89\x37\x0a", 26420 "\x21\xc4\xc2\x75\x67\x89\x37\x0a",
25537 .rlen = 512, 26421 .rlen = 512,
25538 .also_non_np = 1, 26422 .also_non_np = 1,
25539 .np = 2, 26423 .np = 3,
25540 .tap = { 512 - 16, 16 }, 26424 .tap = { 512 - 20, 4, 16 },
25541 }, 26425 },
25542}; 26426};
25543 26427
@@ -25878,8 +26762,8 @@ static struct cipher_testvec camellia_xts_enc_tv_template[] = {
25878 "\xd5\xc6\x99\xcc\x4e\x6c\x94\x95", 26762 "\xd5\xc6\x99\xcc\x4e\x6c\x94\x95",
25879 .rlen = 512, 26763 .rlen = 512,
25880 .also_non_np = 1, 26764 .also_non_np = 1,
25881 .np = 2, 26765 .np = 3,
25882 .tap = { 512 - 16, 16 }, 26766 .tap = { 512 - 20, 4, 16 },
25883 }, 26767 },
25884}; 26768};
25885 26769
@@ -26221,8 +27105,8 @@ static struct cipher_testvec camellia_xts_dec_tv_template[] = {
26221 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff", 27105 "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff",
26222 .rlen = 512, 27106 .rlen = 512,
26223 .also_non_np = 1, 27107 .also_non_np = 1,
26224 .np = 2, 27108 .np = 3,
26225 .tap = { 512 - 16, 16 }, 27109 .tap = { 512 - 20, 4, 16 },
26226 }, 27110 },
26227}; 27111};
26228 27112
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-11 14:40:38 -0500