lib/crypto/tests/polyval_kunit.c at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / lib / crypto / tests / polyval_kunit.c
at master 6.9 kB view raw
  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*
  3 * Copyright 2025 Google LLC
  4 */
  5#include <crypto/polyval.h>
  6#include "polyval-testvecs.h"
  7
  8/*
  9 * A fixed key used when presenting POLYVAL as an unkeyed hash function in order
 10 * to reuse hash-test-template.h.  At the beginning of the test suite, this is
 11 * initialized to a key prepared from bytes generated from a fixed seed.
 12 */
 13static struct polyval_key test_key;
 14
 15static void polyval_init_withtestkey(struct polyval_ctx *ctx)
 16{
 17	polyval_init(ctx, &test_key);
 18}
 19
 20static void polyval_withtestkey(const u8 *data, size_t len,
 21				u8 out[POLYVAL_BLOCK_SIZE])
 22{
 23	polyval(&test_key, data, len, out);
 24}
 25
 26/* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
 27#define HASH polyval_withtestkey
 28#define HASH_CTX polyval_ctx
 29#define HASH_SIZE POLYVAL_BLOCK_SIZE
 30#define HASH_INIT polyval_init_withtestkey
 31#define HASH_UPDATE polyval_update
 32#define HASH_FINAL polyval_final
 33#include "hash-test-template.h"
 34
 35/*
 36 * Test an example from RFC8452 ("AES-GCM-SIV: Nonce Misuse-Resistant
 37 * Authenticated Encryption") to ensure compatibility with that.
 38 */
 39static void test_polyval_rfc8452_testvec(struct kunit *test)
 40{
 41	static const u8 raw_key[POLYVAL_BLOCK_SIZE] =
 42		"\x31\x07\x28\xd9\x91\x1f\x1f\x38"
 43		"\x37\xb2\x43\x16\xc3\xfa\xb9\xa0";
 44	static const u8 data[48] =
 45		"\x65\x78\x61\x6d\x70\x6c\x65\x00"
 46		"\x00\x00\x00\x00\x00\x00\x00\x00"
 47		"\x48\x65\x6c\x6c\x6f\x20\x77\x6f"
 48		"\x72\x6c\x64\x00\x00\x00\x00\x00"
 49		"\x38\x00\x00\x00\x00\x00\x00\x00"
 50		"\x58\x00\x00\x00\x00\x00\x00\x00";
 51	static const u8 expected_hash[POLYVAL_BLOCK_SIZE] =
 52		"\xad\x7f\xcf\x0b\x51\x69\x85\x16"
 53		"\x62\x67\x2f\x3c\x5f\x95\x13\x8f";
 54	u8 hash[POLYVAL_BLOCK_SIZE];
 55	struct polyval_key key;
 56
 57	polyval_preparekey(&key, raw_key);
 58	polyval(&key, data, sizeof(data), hash);
 59	KUNIT_ASSERT_MEMEQ(test, hash, expected_hash, sizeof(hash));
 60}
 61
 62/*
 63 * Test a key and messages containing all one bits.  This is useful to detect
 64 * overflow bugs in implementations that emulate carryless multiplication using
 65 * a series of standard multiplications with the bits spread out.
 66 */
 67static void test_polyval_allones_key_and_message(struct kunit *test)
 68{
 69	struct polyval_key key;
 70	struct polyval_ctx hashofhashes_ctx;
 71	u8 hash[POLYVAL_BLOCK_SIZE];
 72
 73	static_assert(TEST_BUF_LEN >= 4096);
 74	memset(test_buf, 0xff, 4096);
 75
 76	polyval_preparekey(&key, test_buf);
 77	polyval_init(&hashofhashes_ctx, &key);
 78	for (size_t len = 0; len <= 4096; len += 16) {
 79		polyval(&key, test_buf, len, hash);
 80		polyval_update(&hashofhashes_ctx, hash, sizeof(hash));
 81	}
 82	polyval_final(&hashofhashes_ctx, hash);
 83	KUNIT_ASSERT_MEMEQ(test, hash, polyval_allones_hashofhashes,
 84			   sizeof(hash));
 85}
 86
 87#define MAX_LEN_FOR_KEY_CHECK 1024
 88
 89/*
 90 * Given two prepared keys which should be identical (but may differ in
 91 * alignment and/or whether they are followed by a guard page or not), verify
 92 * that they produce consistent results on various data lengths.
 93 */
 94static void check_key_consistency(struct kunit *test,
 95				  const struct polyval_key *key1,
 96				  const struct polyval_key *key2)
 97{
 98	u8 *data = test_buf;
 99	u8 hash1[POLYVAL_BLOCK_SIZE];
100	u8 hash2[POLYVAL_BLOCK_SIZE];
101
102	rand_bytes(data, MAX_LEN_FOR_KEY_CHECK);
103	KUNIT_ASSERT_MEMEQ(test, key1, key2, sizeof(*key1));
104
105	for (int i = 0; i < 100; i++) {
106		size_t len = rand_length(MAX_LEN_FOR_KEY_CHECK);
107
108		polyval(key1, data, len, hash1);
109		polyval(key2, data, len, hash2);
110		KUNIT_ASSERT_MEMEQ(test, hash1, hash2, sizeof(hash1));
111	}
112}
113
114/* Test that no buffer overreads occur on either raw_key or polyval_key. */
115static void test_polyval_with_guarded_key(struct kunit *test)
116{
117	u8 raw_key[POLYVAL_BLOCK_SIZE];
118	u8 *guarded_raw_key = &test_buf[TEST_BUF_LEN - sizeof(raw_key)];
119	struct polyval_key key1, key2;
120	struct polyval_key *guarded_key =
121		(struct polyval_key *)&test_buf[TEST_BUF_LEN - sizeof(key1)];
122
123	/* Prepare with regular buffers. */
124	rand_bytes(raw_key, sizeof(raw_key));
125	polyval_preparekey(&key1, raw_key);
126
127	/* Prepare with guarded raw_key, then check that it works. */
128	memcpy(guarded_raw_key, raw_key, sizeof(raw_key));
129	polyval_preparekey(&key2, guarded_raw_key);
130	check_key_consistency(test, &key1, &key2);
131
132	/* Prepare guarded polyval_key, then check that it works. */
133	polyval_preparekey(guarded_key, raw_key);
134	check_key_consistency(test, &key1, guarded_key);
135}
136
137/*
138 * Test that polyval_key only needs to be aligned to
139 * __alignof__(struct polyval_key), i.e. 8 bytes.  The assembly code may prefer
140 * 16-byte or higher alignment, but it musn't require it.
141 */
142static void test_polyval_with_minimally_aligned_key(struct kunit *test)
143{
144	u8 raw_key[POLYVAL_BLOCK_SIZE];
145	struct polyval_key key;
146	struct polyval_key *minaligned_key =
147		(struct polyval_key *)&test_buf[MAX_LEN_FOR_KEY_CHECK +
148						__alignof__(struct polyval_key)];
149
150	KUNIT_ASSERT_TRUE(test, IS_ALIGNED((uintptr_t)minaligned_key,
151					   __alignof__(struct polyval_key)));
152	KUNIT_ASSERT_TRUE(test,
153			  !IS_ALIGNED((uintptr_t)minaligned_key,
154				      2 * __alignof__(struct polyval_key)));
155
156	rand_bytes(raw_key, sizeof(raw_key));
157	polyval_preparekey(&key, raw_key);
158	polyval_preparekey(minaligned_key, raw_key);
159	check_key_consistency(test, &key, minaligned_key);
160}
161
162struct polyval_irq_test_state {
163	struct polyval_key expected_key;
164	u8 raw_key[POLYVAL_BLOCK_SIZE];
165};
166
167static bool polyval_irq_test_func(void *state_)
168{
169	struct polyval_irq_test_state *state = state_;
170	struct polyval_key key;
171
172	polyval_preparekey(&key, state->raw_key);
173	return memcmp(&key, &state->expected_key, sizeof(key)) == 0;
174}
175
176/*
177 * Test that polyval_preparekey() produces the same output regardless of whether
178 * FPU or vector registers are usable when it is called.
179 */
180static void test_polyval_preparekey_in_irqs(struct kunit *test)
181{
182	struct polyval_irq_test_state state;
183
184	rand_bytes(state.raw_key, sizeof(state.raw_key));
185	polyval_preparekey(&state.expected_key, state.raw_key);
186	kunit_run_irq_test(test, polyval_irq_test_func, 200000, &state);
187}
188
189static int polyval_suite_init(struct kunit_suite *suite)
190{
191	u8 raw_key[POLYVAL_BLOCK_SIZE];
192
193	rand_bytes_seeded_from_len(raw_key, sizeof(raw_key));
194	polyval_preparekey(&test_key, raw_key);
195	return hash_suite_init(suite);
196}
197
198static void polyval_suite_exit(struct kunit_suite *suite)
199{
200	hash_suite_exit(suite);
201}
202
203static struct kunit_case polyval_test_cases[] = {
204	HASH_KUNIT_CASES,
205	KUNIT_CASE(test_polyval_rfc8452_testvec),
206	KUNIT_CASE(test_polyval_allones_key_and_message),
207	KUNIT_CASE(test_polyval_with_guarded_key),
208	KUNIT_CASE(test_polyval_with_minimally_aligned_key),
209	KUNIT_CASE(test_polyval_preparekey_in_irqs),
210	KUNIT_CASE(benchmark_hash),
211	{},
212};
213
214static struct kunit_suite polyval_test_suite = {
215	.name = "polyval",
216	.test_cases = polyval_test_cases,
217	.suite_init = polyval_suite_init,
218	.suite_exit = polyval_suite_exit,
219};
220kunit_test_suite(polyval_test_suite);
221
222MODULE_DESCRIPTION("KUnit tests and benchmark for POLYVAL");
223MODULE_LICENSE("GPL");