^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * Copyright 2021 Google LLC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Authors: Elena Petrova <lenaptr@google.com>,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * Eric Biggers <ebiggers@google.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Self-tests of fips140.ko cryptographic functionality. These are run at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * module load time to fulfill FIPS 140 and NIAP FPT_TST_EXT.1 requirements.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * The actual requirements for these self-tests are somewhat vague, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) * section 9 ("Self-Tests") of the FIPS 140-2 Implementation Guidance document
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * (https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * is somewhat helpful. Basically, all implementations of all FIPS approved
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * algorithms (including modes of operation) must be tested. However:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * - There are provisions for skipping tests that are already sufficiently
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * covered by other tests. E.g., HMAC-SHA256 may cover SHA-256.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * - Only one test vector is required per algorithm, and it can be generated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * by any known-good implementation or taken from any official document.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * - For ciphers, both encryption and decryption must be tested.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * - Only one key size per algorithm needs to be tested.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * There is some ambiguity about whether all implementations of each algorithm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * must be tested, or whether it is sufficient to test just the highest priority
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * implementation. To be safe we test all implementations, except ones that can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * be excluded by one of the rules above.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * See fips140_selftests[] for the list of tests we've selected. Currently, all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) * our test vectors except the AES-CBC-CTS and DRBG ones were generated by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) * script tools/crypto/gen_fips140_testvecs.py, using the known-good
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) * implementations in the Python packages hashlib, pycryptodome, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * cryptography.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * Note that we don't reuse the upstream crypto API's self-tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) * (crypto/testmgr.{c,h}), for several reasons:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) * - To meet FIPS requirements, the self-tests must be located within the FIPS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * module boundary (fips140.ko). But testmgr is integrated into the crypto
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) * API framework and can't be extracted into the module.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * - testmgr is much more heavyweight than required for FIPS and NIAP; it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) * tests more algorithms and does more tests per algorithm, as it's meant to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) * do proper testing and not just meet certification requirements. We need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) * tests that can run with minimal overhead on every boot-up.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) * - Despite being more heavyweight in general, testmgr doesn't test the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) * SHA-256 and AES library APIs, despite that being needed here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) #include <crypto/aead.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #include <crypto/aes.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) #include <crypto/drbg.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) #include <crypto/hash.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #include <crypto/rng.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #include <crypto/sha.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) #include <crypto/skcipher.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) #include "fips140-module.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) /* Test vector for an AEAD algorithm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) struct aead_testvec {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) const u8 *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) size_t key_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) const u8 *iv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) size_t iv_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) const u8 *assoc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) size_t assoc_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) const u8 *plaintext;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) size_t plaintext_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) const u8 *ciphertext;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) size_t ciphertext_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) /* Test vector for a length-preserving encryption algorithm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) struct skcipher_testvec {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) const u8 *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) size_t key_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) const u8 *iv;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) size_t iv_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) const u8 *plaintext;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) const u8 *ciphertext;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) size_t message_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) /* Test vector for a hash algorithm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) struct hash_testvec {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) const u8 *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) size_t key_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) const u8 *message;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) size_t message_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) const u8 *digest;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) size_t digest_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) /* Test vector for a DRBG algorithm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) struct drbg_testvec {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) const u8 *entropy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) size_t entropy_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) const u8 *pers;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) size_t pers_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) const u8 *entpr_a;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) const u8 *entpr_b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) size_t entpr_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) const u8 *add_a;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) const u8 *add_b;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) size_t add_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) const u8 *output;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) size_t out_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) struct fips_test {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) /* The name of the algorithm, in crypto API syntax */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) const char *alg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) * The optional list of implementations to test. @func will be called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * once per implementation, or once with @alg if this list is empty.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) * The implementation names must be given in crypto API syntax, or in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) * the case of a library implementation should have "-lib" appended.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) const char *impls[8];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) * The test function. It should execute a known-answer test on an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) * algorithm implementation, using the below test vector.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) int __must_check (*func)(const struct fips_test *test,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) const char *impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) /* The test vector, with a format specific to the type of algorithm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) union {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) struct aead_testvec aead;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) struct skcipher_testvec skcipher;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) struct hash_testvec hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) struct drbg_testvec drbg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) /* Maximum IV size (in bytes) among any algorithm tested here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) #define MAX_IV_SIZE 16
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) fips_check_result(u8 *result, const u8 *expected_result, size_t result_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) const char *impl, const char *operation)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) fips140_inject_selftest_failure(impl, result);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) if (memcmp(result, expected_result, result_size) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) pr_err("wrong result from %s %s\n", impl, operation);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) return -EBADMSG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * None of the algorithms should be ASYNC, as the FIPS module doesn't register
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) * any ASYNC algorithms. (The ASYNC flag is only declared by hardware
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) * algorithms, which would need their own FIPS certification.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) * Ideally we would verify alg->cra_module == THIS_MODULE here as well, but that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) * doesn't work because the files are compiled as built-in code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) fips_validate_alg(const struct crypto_alg *alg)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) if (alg->cra_flags & CRYPTO_ALG_ASYNC) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) pr_err("unexpectedly got async implementation of %s (%s)\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) alg->cra_name, alg->cra_driver_name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) fips_handle_alloc_tfm_error(const char *impl, int err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) if (err == -ENOENT) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) * The requested implementation of the algorithm wasn't found.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) * This is expected if the CPU lacks a feature the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) * implementation needs, such as the ARMv8 Crypto Extensions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) * When this happens, the implementation isn't available for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) * use, so we can't test it, nor do we need to. So we just skip
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) * the test.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) pr_info("%s is unavailable (no CPU support?), skipping testing it\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) pr_err("failed to allocate %s tfm: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) fips_test_aes_library(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) const struct skcipher_testvec *vec = &test->skcipher;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) struct crypto_aes_ctx ctx;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) u8 block[AES_BLOCK_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) if (WARN_ON(vec->message_size != AES_BLOCK_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) err = aes_expandkey(&ctx, vec->key, vec->key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) pr_err("aes_expandkey() failed: %d\n", err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) aes_encrypt(&ctx, block, vec->plaintext);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) err = fips_check_result(block, vec->ciphertext, AES_BLOCK_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) impl, "encryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) aes_decrypt(&ctx, block, block);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) return fips_check_result(block, vec->plaintext, AES_BLOCK_SIZE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) impl, "decryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) /* Test a length-preserving symmetric cipher using the crypto_skcipher API. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) fips_test_skcipher(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) const struct skcipher_testvec *vec = &test->skcipher;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) struct crypto_skcipher *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) struct skcipher_request *req = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) u8 *message = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) struct scatterlist sg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) u8 iv[MAX_IV_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) if (WARN_ON(vec->iv_size > MAX_IV_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) if (WARN_ON(vec->message_size <= 0))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) tfm = crypto_alloc_skcipher(impl, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) if (IS_ERR(tfm))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) return fips_handle_alloc_tfm_error(impl, PTR_ERR(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) err = fips_validate_alg(&crypto_skcipher_alg(tfm)->base);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) if (crypto_skcipher_ivsize(tfm) != vec->iv_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) pr_err("%s has wrong IV size\n", impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) req = skcipher_request_alloc(tfm, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) message = kmemdup(vec->plaintext, vec->message_size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) if (!req || !message) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) sg_init_one(&sg, message, vec->message_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) skcipher_request_set_crypt(req, &sg, &sg, vec->message_size, iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) err = crypto_skcipher_setkey(tfm, vec->key, vec->key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) pr_err("failed to set %s key: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) /* Encrypt the plaintext, then verify the resulting ciphertext. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) memcpy(iv, vec->iv, vec->iv_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) err = crypto_skcipher_encrypt(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) pr_err("%s encryption failed: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) err = fips_check_result(message, vec->ciphertext, vec->message_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) impl, "encryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) /* Decrypt the ciphertext, then verify the resulting plaintext. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) memcpy(iv, vec->iv, vec->iv_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) err = crypto_skcipher_decrypt(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) pr_err("%s decryption failed: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) err = fips_check_result(message, vec->plaintext, vec->message_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) impl, "decryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) kfree(message);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) skcipher_request_free(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) crypto_free_skcipher(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) /* Test an AEAD using the crypto_aead API. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) fips_test_aead(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) const struct aead_testvec *vec = &test->aead;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) const int tag_size = vec->ciphertext_size - vec->plaintext_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) struct crypto_aead *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) struct aead_request *req = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) u8 *assoc = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) u8 *message = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) struct scatterlist sg[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) int sg_idx = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) u8 iv[MAX_IV_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) if (WARN_ON(vec->iv_size > MAX_IV_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) if (WARN_ON(vec->ciphertext_size <= vec->plaintext_size))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) tfm = crypto_alloc_aead(impl, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) if (IS_ERR(tfm))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) return fips_handle_alloc_tfm_error(impl, PTR_ERR(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) err = fips_validate_alg(&crypto_aead_alg(tfm)->base);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) if (crypto_aead_ivsize(tfm) != vec->iv_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) pr_err("%s has wrong IV size\n", impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) req = aead_request_alloc(tfm, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) assoc = kmemdup(vec->assoc, vec->assoc_size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) message = kzalloc(vec->ciphertext_size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) if (!req || !assoc || !message) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) memcpy(message, vec->plaintext, vec->plaintext_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) sg_init_table(sg, ARRAY_SIZE(sg));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) if (vec->assoc_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) sg_set_buf(&sg[sg_idx++], assoc, vec->assoc_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) sg_set_buf(&sg[sg_idx++], message, vec->ciphertext_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) aead_request_set_ad(req, vec->assoc_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) err = crypto_aead_setkey(tfm, vec->key, vec->key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) pr_err("failed to set %s key: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) err = crypto_aead_setauthsize(tfm, tag_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) pr_err("failed to set %s authentication tag size: %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) * Encrypt the plaintext, then verify the resulting ciphertext (which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) * includes the authentication tag).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) memcpy(iv, vec->iv, vec->iv_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) aead_request_set_crypt(req, sg, sg, vec->plaintext_size, iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) err = crypto_aead_encrypt(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) pr_err("%s encryption failed: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) err = fips_check_result(message, vec->ciphertext, vec->ciphertext_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) impl, "encryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) * Decrypt the ciphertext (which includes the authentication tag), then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) * verify the resulting plaintext.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) memcpy(iv, vec->iv, vec->iv_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) aead_request_set_crypt(req, sg, sg, vec->ciphertext_size, iv);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) err = crypto_aead_decrypt(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) pr_err("%s decryption failed: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) err = fips_check_result(message, vec->plaintext, vec->plaintext_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) impl, "decryption");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) kfree(message);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) kfree(assoc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) aead_request_free(req);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) crypto_free_aead(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) * Test a hash algorithm using the crypto_shash API.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) * Note that we don't need to test the crypto_ahash API too, since none of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) * hash algorithms in the FIPS module have the ASYNC flag, and thus there will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) * be no hash algorithms that can be accessed only through crypto_ahash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) fips_test_hash(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) const struct hash_testvec *vec = &test->hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) struct crypto_shash *tfm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) u8 digest[HASH_MAX_DIGESTSIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) if (WARN_ON(vec->digest_size > HASH_MAX_DIGESTSIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) tfm = crypto_alloc_shash(impl, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) if (IS_ERR(tfm))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) return fips_handle_alloc_tfm_error(impl, PTR_ERR(tfm));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) err = fips_validate_alg(&crypto_shash_alg(tfm)->base);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) if (crypto_shash_digestsize(tfm) != vec->digest_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) pr_err("%s has wrong digest size\n", impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) if (vec->key) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) err = crypto_shash_setkey(tfm, vec->key, vec->key_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) pr_err("failed to set %s key: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) err = crypto_shash_tfm_digest(tfm, vec->message, vec->message_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) digest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) pr_err("%s digest computation failed: %d\n", impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) err = fips_check_result(digest, vec->digest, vec->digest_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) impl, "digest");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) crypto_free_shash(tfm);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) fips_test_sha256_library(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) const struct hash_testvec *vec = &test->hash;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) u8 digest[SHA256_DIGEST_SIZE];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) if (WARN_ON(vec->digest_size != SHA256_DIGEST_SIZE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) sha256(vec->message, vec->message_size, digest);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) return fips_check_result(digest, vec->digest, vec->digest_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) impl, "digest");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) /* Test a DRBG using the crypto_rng API. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) fips_test_drbg(const struct fips_test *test, const char *impl)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) const struct drbg_testvec *vec = &test->drbg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) struct crypto_rng *rng;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) u8 *output = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) struct drbg_test_data test_data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470) struct drbg_string addtl, pers, testentropy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) rng = crypto_alloc_rng(impl, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474) if (IS_ERR(rng))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) return fips_handle_alloc_tfm_error(impl, PTR_ERR(rng));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) err = fips_validate_alg(&crypto_rng_alg(rng)->base);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) output = kzalloc(vec->out_size, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) if (!output) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) * Initialize the DRBG with the entropy and personalization string given
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) * in the test vector.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) test_data.testentropy = &testentropy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) drbg_string_fill(&testentropy, vec->entropy, vec->entropy_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) drbg_string_fill(&pers, vec->pers, vec->pers_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) err = crypto_drbg_reset_test(rng, &pers, &test_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) pr_err("failed to reset %s\n", impl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) * Generate some random bytes using the additional data string provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) * in the test vector. Also use the additional entropy if provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) * (relevant for the prediction-resistant DRBG variants only).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) drbg_string_fill(&addtl, vec->add_a, vec->add_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) if (vec->entpr_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) drbg_string_fill(&testentropy, vec->entpr_a, vec->entpr_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) err = crypto_drbg_get_bytes_addtl_test(rng, output,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) vec->out_size, &addtl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) &test_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) err = crypto_drbg_get_bytes_addtl(rng, output, vec->out_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) &addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) pr_err("failed to get bytes from %s (try 1): %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) * Do the same again, using a second additional data string, and (when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) * applicable) a second additional entropy string.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) drbg_string_fill(&addtl, vec->add_b, vec->add_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) if (test->drbg.entpr_size) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) drbg_string_fill(&testentropy, vec->entpr_b, vec->entpr_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) err = crypto_drbg_get_bytes_addtl_test(rng, output,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) vec->out_size, &addtl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) &test_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) err = crypto_drbg_get_bytes_addtl(rng, output, vec->out_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) &addtl);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) pr_err("failed to get bytes from %s (try 2): %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) impl, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) /* Check that the DRBG generated the expected output. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) err = fips_check_result(output, vec->output, vec->out_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) impl, "get_bytes");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) kfree(output);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) crypto_free_rng(rng);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) /* Include the test vectors generated by the Python script. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) #include "fips140-generated-testvecs.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) * List of all self-tests. Keep this in sync with fips140_algorithms[].
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) * When possible, we have followed the FIPS 140-2 Implementation Guidance (IG)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) * document when creating this list of tests. The result is intended to be a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) * list of tests that is near-minimal (and thus minimizes runtime overhead)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) * while complying with all requirements. For additional details, see the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) * comment at the beginning of this file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) static const struct fips_test fips140_selftests[] __initconst = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) * Test for the AES library API.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) * Since the AES library API may use its own AES implementation and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) * module provides no support for composing it with a mode of operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) * (it's just plain AES), we must test it directly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) * In contrast, we don't need to directly test the "aes" ciphers that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) * are accessible through the crypto_cipher API (e.g. "aes-ce"), as they
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) * are covered indirectly by AES-CMAC and AES-ECB tests.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) .alg = "aes",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) .impls = {"aes-lib"},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) .func = fips_test_aes_library,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) .ciphertext = fips_aes_ecb_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) .message_size = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) * Tests for AES-CMAC, a.k.a. "cmac(aes)" in crypto API syntax.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) * The IG requires that each underlying AES implementation be tested in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) * an authenticated mode, if implemented. Of such modes, this module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) * implements AES-GCM and AES-CMAC. However, AES-GCM doesn't "count"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) * because this module's implementations of AES-GCM won't actually be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) * FIPS-approved, due to a quirk in the FIPS requirements.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) * Therefore, for us this requirement applies to AES-CMAC, so we must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) * test the "cmac" template composed with each "aes" implementation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) * Separately from the above, we also must test all standalone
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) * implementations of "cmac(aes)" such as "cmac-aes-ce", as they don't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) * reuse another full AES implementation and thus can't be covered by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) * another test.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) .alg = "cmac(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) /* "cmac" template with all "aes" implementations */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) "cmac(aes-generic)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) "cmac(aes-arm64)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) "cmac(aes-ce)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) /* All standalone implementations of "cmac(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) "cmac-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) "cmac-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) .func = fips_test_hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) .digest = fips_aes_cmac_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) .digest_size = sizeof(fips_aes_cmac_digest),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) * Tests for AES-ECB, a.k.a. "ecb(aes)" in crypto API syntax.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) * The IG requires that each underlying AES implementation be tested in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) * a mode that exercises the encryption direction of AES and in a mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) * that exercises the decryption direction of AES. CMAC only covers the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) * encryption direction, so we choose ECB to test decryption. Thus, we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) * test the "ecb" template composed with each "aes" implementation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) * Separately from the above, we also must test all standalone
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) * implementations of "ecb(aes)" such as "ecb-aes-ce", as they don't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) * reuse another full AES implementation and thus can't be covered by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) * another test.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) .alg = "ecb(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) /* "ecb" template with all "aes" implementations */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) "ecb(aes-generic)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) "ecb(aes-arm64)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) "ecb(aes-ce)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) /* All standalone implementations of "ecb(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) "ecb-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) "ecb-aes-neonbs",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) "ecb-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) .func = fips_test_skcipher,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) .ciphertext = fips_aes_ecb_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) .message_size = sizeof(fips_message)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) * Tests for AES-CBC, AES-CBC-CTS, AES-CTR, AES-XTS, and AES-GCM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) * According to the IG, an AES mode of operation doesn't need to have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) * its own test, provided that (a) both the encryption and decryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) * directions of the underlying AES implementation are already tested
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) * via other mode(s), and (b) in the case of an authenticated mode, at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) * least one other authenticated mode is already tested. The tests of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) * the "cmac" and "ecb" templates fulfill these conditions; therefore,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) * we don't need to test any other AES mode templates.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) * This does *not* apply to standalone implementations of these modes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) * such as "cbc-aes-ce", as such implementations don't reuse another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) * full AES implementation and thus can't be covered by another test.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) * We must test all such standalone implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) * The AES-GCM test isn't actually required, as it's expected that this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) * module's AES-GCM implementation won't actually be able to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) * FIPS-approved. This is unfortunate; it's caused by the FIPS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) * requirements for GCM being incompatible with GCM implementations that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) * don't generate their own IVs. We choose to still include the AES-GCM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) * test to keep it on par with the other FIPS-approved algorithms, in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) * case it turns out that AES-GCM can be approved after all.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) .alg = "cbc(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) /* All standalone implementations of "cbc(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) "cbc-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) "cbc-aes-neonbs",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) "cbc-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690) .func = fips_test_skcipher,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694) .iv = fips_aes_iv,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) .iv_size = sizeof(fips_aes_iv),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) .ciphertext = fips_aes_cbc_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) .alg = "cts(cbc(aes))",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) /* All standalone implementations of "cts(cbc(aes))" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) "cts-cbc-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) "cts-cbc-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) .func = fips_test_skcipher,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) /* Test vector taken from RFC 3962 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) .key = "\x63\x68\x69\x63\x6b\x65\x6e\x20"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) "\x74\x65\x72\x69\x79\x61\x6b\x69",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) .key_size = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) .iv = "\x00\x00\x00\x00\x00\x00\x00\x00"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) "\x00\x00\x00\x00\x00\x00\x00\x00",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) .iv_size = 16,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) .plaintext = "\x49\x20\x77\x6f\x75\x6c\x64\x20"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) "\x6c\x69\x6b\x65\x20\x74\x68\x65"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) "\x20\x47\x65\x6e\x65\x72\x61\x6c"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) "\x20\x47\x61\x75\x27\x73\x20",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) .ciphertext = "\xfc\x00\x78\x3e\x0e\xfd\xb2\xc1"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) "\xd4\x45\xd4\xc8\xef\xf7\xed\x22"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) "\x97\x68\x72\x68\xd6\xec\xcc\xc0"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) "\xc0\x7b\x25\xe2\x5e\xcf\xe5",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) .message_size = 31,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) .alg = "ctr(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) /* All standalone implementations of "ctr(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) "ctr-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) "ctr-aes-neonbs",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) "ctr-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) .func = fips_test_skcipher,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) .iv = fips_aes_iv,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) .iv_size = sizeof(fips_aes_iv),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) .ciphertext = fips_aes_ctr_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) .alg = "xts(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) /* All standalone implementations of "xts(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) "xts-aes-neon",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) "xts-aes-neonbs",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) "xts-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) .func = fips_test_skcipher,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) .skcipher = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) .key = fips_aes_xts_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) .key_size = sizeof(fips_aes_xts_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) .iv = fips_aes_iv,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) .iv_size = sizeof(fips_aes_iv),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) .ciphertext = fips_aes_xts_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) }, {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) .alg = "gcm(aes)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) /* All standalone implementations of "gcm(aes)" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) "gcm-aes-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) .func = fips_test_aead,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) .aead = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) .key = fips_aes_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) .key_size = sizeof(fips_aes_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) .iv = fips_aes_iv,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) /* The GCM implementations assume an IV size of 12. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) .iv_size = 12,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) .assoc = fips_aes_gcm_assoc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) .assoc_size = sizeof(fips_aes_gcm_assoc),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) .plaintext = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) .plaintext_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) .ciphertext = fips_aes_gcm_ciphertext,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) .ciphertext_size = sizeof(fips_aes_gcm_ciphertext),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) /* Tests for SHA-1 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) .alg = "sha1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) /* All implementations of "sha1" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) "sha1-generic",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) "sha1-ce"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) .func = fips_test_hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) .digest = fips_sha1_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) .digest_size = sizeof(fips_sha1_digest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) * Tests for all SHA-256 implementations other than the sha256() library
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) * function. As per the IG, these tests also fulfill the tests for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) * corresponding SHA-224 implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) .alg = "sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) /* All implementations of "sha256" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809) "sha256-generic",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) "sha256-arm64",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) "sha256-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813) .func = fips_test_hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817) .digest = fips_sha256_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) .digest_size = sizeof(fips_sha256_digest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) * Test for the sha256() library function. This must be tested
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) * separately because it may use its own SHA-256 implementation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) .alg = "sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) .impls = {"sha256-lib"},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) .func = fips_test_sha256_library,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) .digest = fips_sha256_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) .digest_size = sizeof(fips_sha256_digest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) * Tests for all SHA-512 implementations. As per the IG, these tests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) * also fulfill the tests for the corresponding SHA-384 implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) .alg = "sha512",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) .impls = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) /* All implementations of "sha512" */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) "sha512-generic",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) "sha512-arm64",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) "sha512-ce",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) .func = fips_test_hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) .digest = fips_sha512_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) .digest_size = sizeof(fips_sha512_digest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) * Test for HMAC. As per the IG, only one HMAC test is required,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) * provided that the same HMAC code is shared by all HMAC-SHA*. This is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) * true in our case. We choose HMAC-SHA256 for the test.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) * Note that as per the IG, this can fulfill the test for the underlying
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 862) * SHA. However, we don't currently rely on this.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 863) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 864) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 865) .alg = "hmac(sha256)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 866) .func = fips_test_hash,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 867) .hash = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 868) .key = fips_hmac_key,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 869) .key_size = sizeof(fips_hmac_key),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 870) .message = fips_message,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 871) .message_size = sizeof(fips_message),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 872) .digest = fips_hmac_sha256_digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 873) .digest_size = sizeof(fips_hmac_sha256_digest)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 874) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 875) },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 876) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 877) * Known-answer tests for the SP800-90A DRBG algorithms.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 878) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 879) * These test vectors were manually extracted from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 880) * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 881) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 882) * The selection of these tests follows the FIPS 140-2 IG as well as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 883) * Section 11 of SP800-90A:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 884) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 885) * - We must test all DRBG types (HMAC, Hash, and CTR) that the module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 886) * implements. However, currently the module only implements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 887) * HMAC_DRBG (since CONFIG_CRYPTO_DRBG_CTR and CONFIG_CRYPTO_DRBG_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 888) * aren't enabled). Therefore, we only need to test HMAC_DRBG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 889) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 890) * - We only need to test one HMAC variant.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 891) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 892) * - We must test all DRBG operations: Instantiate(), Reseed(), and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 893) * Generate(). However, a single test sequence with a single output
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 894) * comparison may cover all three operations, and this is what we do.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 895) * Note that Reseed() happens implicitly via the use of the additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 896) * input and also via the use of prediction resistance when enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 897) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 898) * - The personalization string, additional input, and prediction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 899) * resistance support must be tested. Therefore we have chosen test
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 900) * vectors that have a nonempty personalization string and nonempty
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 901) * additional input, and we test the prediction-resistant variant.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 902) * Testing the non-prediction-resistant variant is not required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 903) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 904) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 905) .alg = "drbg_pr_hmac_sha256",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 906) .func = fips_test_drbg,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 907) .drbg = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 908) .entropy =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 909) "\xc7\xcc\xbc\x67\x7e\x21\x66\x1e\x27\x2b\x63\xdd"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 910) "\x3a\x78\xdc\xdf\x66\x6d\x3f\x24\xae\xcf\x37\x01"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 911) "\xa9\x0d\x89\x8a\xa7\xdc\x81\x58\xae\xb2\x10\x15"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 912) "\x7e\x18\x44\x6d\x13\xea\xdf\x37\x85\xfe\x81\xfb",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 913) .entropy_size = 48,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 914) .entpr_a =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 915) "\x7b\xa1\x91\x5b\x3c\x04\xc4\x1b\x1d\x19\x2f\x1a"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 916) "\x18\x81\x60\x3c\x6c\x62\x91\xb7\xe9\xf5\xcb\x96"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 917) "\xbb\x81\x6a\xcc\xb5\xae\x55\xb6",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 918) .entpr_b =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 919) "\x99\x2c\xc7\x78\x7e\x3b\x88\x12\xef\xbe\xd3\xd2"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 920) "\x7d\x2a\xa5\x86\xda\x8d\x58\x73\x4a\x0a\xb2\x2e"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 921) "\xbb\x4c\x7e\xe3\x9a\xb6\x81\xc1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 922) .entpr_size = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 923) .output =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 924) "\x95\x6f\x95\xfc\x3b\xb7\xfe\x3e\xd0\x4e\x1a\x14"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 925) "\x6c\x34\x7f\x7b\x1d\x0d\x63\x5e\x48\x9c\x69\xe6"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 926) "\x46\x07\xd2\x87\xf3\x86\x52\x3d\x98\x27\x5e\xd7"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 927) "\x54\xe7\x75\x50\x4f\xfb\x4d\xfd\xac\x2f\x4b\x77"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 928) "\xcf\x9e\x8e\xcc\x16\xa2\x24\xcd\x53\xde\x3e\xc5"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 929) "\x55\x5d\xd5\x26\x3f\x89\xdf\xca\x8b\x4e\x1e\xb6"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 930) "\x88\x78\x63\x5c\xa2\x63\x98\x4e\x6f\x25\x59\xb1"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 931) "\x5f\x2b\x23\xb0\x4b\xa5\x18\x5d\xc2\x15\x74\x40"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 932) "\x59\x4c\xb4\x1e\xcf\x9a\x36\xfd\x43\xe2\x03\xb8"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 933) "\x59\x91\x30\x89\x2a\xc8\x5a\x43\x23\x7c\x73\x72"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 934) "\xda\x3f\xad\x2b\xba\x00\x6b\xd1",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 935) .out_size = 128,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 936) .add_a =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 937) "\x18\xe8\x17\xff\xef\x39\xc7\x41\x5c\x73\x03\x03"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 938) "\xf6\x3d\xe8\x5f\xc8\xab\xe4\xab\x0f\xad\xe8\xd6"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 939) "\x86\x88\x55\x28\xc1\x69\xdd\x76",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 940) .add_b =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 941) "\xac\x07\xfc\xbe\x87\x0e\xd3\xea\x1f\x7e\xb8\xe7"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 942) "\x9d\xec\xe8\xe7\xbc\xf3\x18\x25\x77\x35\x4a\xaa"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 943) "\x00\x99\x2a\xdd\x0a\x00\x50\x82",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 944) .add_size = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 945) .pers =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 946) "\xbc\x55\xab\x3c\xf6\x52\xb0\x11\x3d\x7b\x90\xb8"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 947) "\x24\xc9\x26\x4e\x5a\x1e\x77\x0d\x3d\x58\x4a\xda"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 948) "\xd1\x81\xe9\xf8\xeb\x30\x8f\x6f",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 949) .pers_size = 32,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 950) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 951) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 952) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 953)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 954) static int __init __must_check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 955) fips_run_test(const struct fips_test *test)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 956) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 957) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 958) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 959)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 960) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 961) * If no implementations were specified, then just test the default one.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 962) * Otherwise, test the specified list of implementations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 963) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 964)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 965) if (test->impls[0] == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 966) err = test->func(test, test->alg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 967) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 968) pr_emerg("self-tests failed for algorithm %s: %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 969) test->alg, err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 970) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 971) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 972)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 973) for (i = 0; i < ARRAY_SIZE(test->impls) && test->impls[i] != NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 974) i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 975) err = test->func(test, test->impls[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 976) if (err) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 977) pr_emerg("self-tests failed for algorithm %s, implementation %s: %d\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 978) test->alg, test->impls[i], err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 979) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 980) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 981) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 982) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 983) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 984)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 985) bool __init fips140_run_selftests(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 986) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 987) int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 988)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 989) pr_info("running self-tests\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 990) for (i = 0; i < ARRAY_SIZE(fips140_selftests); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 991) if (fips_run_test(&fips140_selftests[i]) != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 992) /* The caller is responsible for calling panic(). */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 993) return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 994) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 995) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 996) pr_info("all self-tests passed\n");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 997) return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 998) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags