xref: /linux/lib/crypto/tests/hash-test-template.h (revision 2330437da0994321020777c605a2a8cb0ecb7001)
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * Test cases for hash functions, including a benchmark.  This is included by
4  * KUnit test suites that want to use it.  See sha512_kunit.c for an example.
5  *
6  * Copyright 2025 Google LLC
7  */
8 #include <kunit/test.h>
9 #include <linux/hrtimer.h>
10 #include <linux/timekeeping.h>
11 #include <linux/vmalloc.h>
12 #include <linux/workqueue.h>
13 
14 /* test_buf is a guarded buffer, i.e. &test_buf[TEST_BUF_LEN] is not mapped. */
15 #define TEST_BUF_LEN 16384
16 static u8 *test_buf;
17 
18 static u8 *orig_test_buf;
19 
20 static u64 random_seed;
21 
22 /*
23  * This is a simple linear congruential generator.  It is used only for testing,
24  * which does not require cryptographically secure random numbers.  A hard-coded
25  * algorithm is used instead of <linux/prandom.h> so that it matches the
26  * algorithm used by the test vector generation script.  This allows the input
27  * data in random test vectors to be concisely stored as just the seed.
28  */
29 static u32 rand32(void)
30 {
31 	random_seed = (random_seed * 25214903917 + 11) & ((1ULL << 48) - 1);
32 	return random_seed >> 16;
33 }
34 
35 static void rand_bytes(u8 *out, size_t len)
36 {
37 	for (size_t i = 0; i < len; i++)
38 		out[i] = rand32();
39 }
40 
41 static void rand_bytes_seeded_from_len(u8 *out, size_t len)
42 {
43 	random_seed = len;
44 	rand_bytes(out, len);
45 }
46 
47 static bool rand_bool(void)
48 {
49 	return rand32() % 2;
50 }
51 
52 /* Generate a random length, preferring small lengths. */
53 static size_t rand_length(size_t max_len)
54 {
55 	size_t len;
56 
57 	switch (rand32() % 3) {
58 	case 0:
59 		len = rand32() % 128;
60 		break;
61 	case 1:
62 		len = rand32() % 3072;
63 		break;
64 	default:
65 		len = rand32();
66 		break;
67 	}
68 	return len % (max_len + 1);
69 }
70 
71 static size_t rand_offset(size_t max_offset)
72 {
73 	return min(rand32() % 128, max_offset);
74 }
75 
76 static int hash_suite_init(struct kunit_suite *suite)
77 {
78 	/*
79 	 * Allocate the test buffer using vmalloc() with a page-aligned length
80 	 * so that it is immediately followed by a guard page.  This allows
81 	 * buffer overreads to be detected, even in assembly code.
82 	 */
83 	size_t alloc_len = round_up(TEST_BUF_LEN, PAGE_SIZE);
84 
85 	orig_test_buf = vmalloc(alloc_len);
86 	if (!orig_test_buf)
87 		return -ENOMEM;
88 
89 	test_buf = orig_test_buf + alloc_len - TEST_BUF_LEN;
90 	return 0;
91 }
92 
93 static void hash_suite_exit(struct kunit_suite *suite)
94 {
95 	vfree(orig_test_buf);
96 	orig_test_buf = NULL;
97 	test_buf = NULL;
98 }
99 
100 /*
101  * Test the hash function against a list of test vectors.
102  *
103  * Note that it's only necessary to run each test vector in one way (e.g.,
104  * one-shot instead of incremental), since consistency between different ways of
105  * using the APIs is verified by other test cases.
106  */
107 static void test_hash_test_vectors(struct kunit *test)
108 {
109 	for (size_t i = 0; i < ARRAY_SIZE(hash_testvecs); i++) {
110 		size_t data_len = hash_testvecs[i].data_len;
111 		u8 actual_hash[HASH_SIZE];
112 
113 		KUNIT_ASSERT_LE(test, data_len, TEST_BUF_LEN);
114 		rand_bytes_seeded_from_len(test_buf, data_len);
115 
116 		HASH(test_buf, data_len, actual_hash);
117 		KUNIT_ASSERT_MEMEQ_MSG(
118 			test, actual_hash, hash_testvecs[i].digest, HASH_SIZE,
119 			"Wrong result with test vector %zu; data_len=%zu", i,
120 			data_len);
121 	}
122 }
123 
124 /*
125  * Test that the hash function produces correct results for *every* length up to
126  * 4096 bytes.  To do this, generate seeded random data, then calculate a hash
127  * value for each length 0..4096, then hash the hash values.  Verify just the
128  * final hash value, which should match only when all hash values were correct.
129  */
130 static void test_hash_all_lens_up_to_4096(struct kunit *test)
131 {
132 	struct HASH_CTX ctx;
133 	u8 hash[HASH_SIZE];
134 
135 	static_assert(TEST_BUF_LEN >= 4096);
136 	rand_bytes_seeded_from_len(test_buf, 4096);
137 	HASH_INIT(&ctx);
138 	for (size_t len = 0; len <= 4096; len++) {
139 		HASH(test_buf, len, hash);
140 		HASH_UPDATE(&ctx, hash, HASH_SIZE);
141 	}
142 	HASH_FINAL(&ctx, hash);
143 	KUNIT_ASSERT_MEMEQ(test, hash, hash_testvec_consolidated, HASH_SIZE);
144 }
145 
146 /*
147  * Test that the hash function produces the same result with a one-shot
148  * computation as it does with an incremental computation.
149  */
150 static void test_hash_incremental_updates(struct kunit *test)
151 {
152 	for (int i = 0; i < 1000; i++) {
153 		size_t total_len, offset;
154 		struct HASH_CTX ctx;
155 		u8 hash1[HASH_SIZE];
156 		u8 hash2[HASH_SIZE];
157 		size_t num_parts = 0;
158 		size_t remaining_len, cur_offset;
159 
160 		total_len = rand_length(TEST_BUF_LEN);
161 		offset = rand_offset(TEST_BUF_LEN - total_len);
162 		rand_bytes(&test_buf[offset], total_len);
163 
164 		/* Compute the hash value in one shot. */
165 		HASH(&test_buf[offset], total_len, hash1);
166 
167 		/*
168 		 * Compute the hash value incrementally, using a randomly
169 		 * selected sequence of update lengths that sum to total_len.
170 		 */
171 		HASH_INIT(&ctx);
172 		remaining_len = total_len;
173 		cur_offset = offset;
174 		while (rand_bool()) {
175 			size_t part_len = rand_length(remaining_len);
176 
177 			HASH_UPDATE(&ctx, &test_buf[cur_offset], part_len);
178 			num_parts++;
179 			cur_offset += part_len;
180 			remaining_len -= part_len;
181 		}
182 		if (remaining_len != 0 || rand_bool()) {
183 			HASH_UPDATE(&ctx, &test_buf[cur_offset], remaining_len);
184 			num_parts++;
185 		}
186 		HASH_FINAL(&ctx, hash2);
187 
188 		/* Verify that the two hash values are the same. */
189 		KUNIT_ASSERT_MEMEQ_MSG(
190 			test, hash1, hash2, HASH_SIZE,
191 			"Incremental test failed with total_len=%zu num_parts=%zu offset=%zu",
192 			total_len, num_parts, offset);
193 	}
194 }
195 
196 /*
197  * Test that the hash function does not overrun any buffers.  Uses a guard page
198  * to catch buffer overruns even if they occur in assembly code.
199  */
200 static void test_hash_buffer_overruns(struct kunit *test)
201 {
202 	const size_t max_tested_len = TEST_BUF_LEN - sizeof(struct HASH_CTX);
203 	void *const buf_end = &test_buf[TEST_BUF_LEN];
204 	struct HASH_CTX *guarded_ctx = buf_end - sizeof(*guarded_ctx);
205 
206 	rand_bytes(test_buf, TEST_BUF_LEN);
207 
208 	for (int i = 0; i < 100; i++) {
209 		size_t len = rand_length(max_tested_len);
210 		struct HASH_CTX ctx;
211 		u8 hash[HASH_SIZE];
212 
213 		/* Check for overruns of the data buffer. */
214 		HASH(buf_end - len, len, hash);
215 		HASH_INIT(&ctx);
216 		HASH_UPDATE(&ctx, buf_end - len, len);
217 		HASH_FINAL(&ctx, hash);
218 
219 		/* Check for overruns of the hash value buffer. */
220 		HASH(test_buf, len, buf_end - HASH_SIZE);
221 		HASH_INIT(&ctx);
222 		HASH_UPDATE(&ctx, test_buf, len);
223 		HASH_FINAL(&ctx, buf_end - HASH_SIZE);
224 
225 		/* Check for overuns of the hash context. */
226 		HASH_INIT(guarded_ctx);
227 		HASH_UPDATE(guarded_ctx, test_buf, len);
228 		HASH_FINAL(guarded_ctx, hash);
229 	}
230 }
231 
232 /*
233  * Test that the caller is permitted to alias the output digest and source data
234  * buffer, and also modify the source data buffer after it has been used.
235  */
236 static void test_hash_overlaps(struct kunit *test)
237 {
238 	const size_t max_tested_len = TEST_BUF_LEN - HASH_SIZE;
239 	struct HASH_CTX ctx;
240 	u8 hash[HASH_SIZE];
241 
242 	rand_bytes(test_buf, TEST_BUF_LEN);
243 
244 	for (int i = 0; i < 100; i++) {
245 		size_t len = rand_length(max_tested_len);
246 		size_t offset = HASH_SIZE + rand_offset(max_tested_len - len);
247 		bool left_end = rand_bool();
248 		u8 *ovl_hash = left_end ? &test_buf[offset] :
249 					  &test_buf[offset + len - HASH_SIZE];
250 
251 		HASH(&test_buf[offset], len, hash);
252 		HASH(&test_buf[offset], len, ovl_hash);
253 		KUNIT_ASSERT_MEMEQ_MSG(
254 			test, hash, ovl_hash, HASH_SIZE,
255 			"Overlap test 1 failed with len=%zu offset=%zu left_end=%d",
256 			len, offset, left_end);
257 
258 		/* Repeat the above test, but this time use init+update+final */
259 		HASH(&test_buf[offset], len, hash);
260 		HASH_INIT(&ctx);
261 		HASH_UPDATE(&ctx, &test_buf[offset], len);
262 		HASH_FINAL(&ctx, ovl_hash);
263 		KUNIT_ASSERT_MEMEQ_MSG(
264 			test, hash, ovl_hash, HASH_SIZE,
265 			"Overlap test 2 failed with len=%zu offset=%zu left_end=%d",
266 			len, offset, left_end);
267 
268 		/* Test modifying the source data after it was used. */
269 		HASH(&test_buf[offset], len, hash);
270 		HASH_INIT(&ctx);
271 		HASH_UPDATE(&ctx, &test_buf[offset], len);
272 		rand_bytes(&test_buf[offset], len);
273 		HASH_FINAL(&ctx, ovl_hash);
274 		KUNIT_ASSERT_MEMEQ_MSG(
275 			test, hash, ovl_hash, HASH_SIZE,
276 			"Overlap test 3 failed with len=%zu offset=%zu left_end=%d",
277 			len, offset, left_end);
278 	}
279 }
280 
281 /*
282  * Test that if the same data is hashed at different alignments in memory, the
283  * results are the same.
284  */
285 static void test_hash_alignment_consistency(struct kunit *test)
286 {
287 	u8 hash1[128 + HASH_SIZE];
288 	u8 hash2[128 + HASH_SIZE];
289 
290 	for (int i = 0; i < 100; i++) {
291 		size_t len = rand_length(TEST_BUF_LEN);
292 		size_t data_offs1 = rand_offset(TEST_BUF_LEN - len);
293 		size_t data_offs2 = rand_offset(TEST_BUF_LEN - len);
294 		size_t hash_offs1 = rand_offset(128);
295 		size_t hash_offs2 = rand_offset(128);
296 
297 		rand_bytes(&test_buf[data_offs1], len);
298 		HASH(&test_buf[data_offs1], len, &hash1[hash_offs1]);
299 		memmove(&test_buf[data_offs2], &test_buf[data_offs1], len);
300 		HASH(&test_buf[data_offs2], len, &hash2[hash_offs2]);
301 		KUNIT_ASSERT_MEMEQ_MSG(
302 			test, &hash1[hash_offs1], &hash2[hash_offs2], HASH_SIZE,
303 			"Alignment consistency test failed with len=%zu data_offs=(%zu,%zu) hash_offs=(%zu,%zu)",
304 			len, data_offs1, data_offs2, hash_offs1, hash_offs2);
305 	}
306 }
307 
308 /* Test that HASH_FINAL zeroizes the context. */
309 static void test_hash_ctx_zeroization(struct kunit *test)
310 {
311 	static const u8 zeroes[sizeof(struct HASH_CTX)];
312 	struct HASH_CTX ctx;
313 
314 	rand_bytes(test_buf, 128);
315 	HASH_INIT(&ctx);
316 	HASH_UPDATE(&ctx, test_buf, 128);
317 	HASH_FINAL(&ctx, test_buf);
318 	KUNIT_ASSERT_MEMEQ_MSG(test, &ctx, zeroes, sizeof(ctx),
319 			       "Hash context was not zeroized by finalization");
320 }
321 
322 #define IRQ_TEST_HRTIMER_INTERVAL us_to_ktime(5)
323 
324 struct hash_irq_test_state {
325 	bool (*func)(void *test_specific_state);
326 	void *test_specific_state;
327 	bool task_func_reported_failure;
328 	bool hardirq_func_reported_failure;
329 	bool softirq_func_reported_failure;
330 	unsigned long hardirq_func_calls;
331 	unsigned long softirq_func_calls;
332 	struct hrtimer timer;
333 	struct work_struct bh_work;
334 };
335 
336 static enum hrtimer_restart hash_irq_test_timer_func(struct hrtimer *timer)
337 {
338 	struct hash_irq_test_state *state =
339 		container_of(timer, typeof(*state), timer);
340 
341 	WARN_ON_ONCE(!in_hardirq());
342 	state->hardirq_func_calls++;
343 
344 	if (!state->func(state->test_specific_state))
345 		state->hardirq_func_reported_failure = true;
346 
347 	hrtimer_forward_now(&state->timer, IRQ_TEST_HRTIMER_INTERVAL);
348 	queue_work(system_bh_wq, &state->bh_work);
349 	return HRTIMER_RESTART;
350 }
351 
352 static void hash_irq_test_bh_work_func(struct work_struct *work)
353 {
354 	struct hash_irq_test_state *state =
355 		container_of(work, typeof(*state), bh_work);
356 
357 	WARN_ON_ONCE(!in_serving_softirq());
358 	state->softirq_func_calls++;
359 
360 	if (!state->func(state->test_specific_state))
361 		state->softirq_func_reported_failure = true;
362 }
363 
364 /*
365  * Helper function which repeatedly runs the given @func in task, softirq, and
366  * hardirq context concurrently, and reports a failure to KUnit if any
367  * invocation of @func in any context returns false.  @func is passed
368  * @test_specific_state as its argument.  At most 3 invocations of @func will
369  * run concurrently: one in each of task, softirq, and hardirq context.
370  *
371  * The main purpose of this interrupt context testing is to validate fallback
372  * code paths that run in contexts where the normal code path cannot be used,
373  * typically due to the FPU or vector registers already being in-use in kernel
374  * mode.  These code paths aren't covered when the test code is executed only by
375  * the KUnit test runner thread in task context.  The reason for the concurrency
376  * is because merely using hardirq context is not sufficient to reach a fallback
377  * code path on some architectures; the hardirq actually has to occur while the
378  * FPU or vector unit was already in-use in kernel mode.
379  *
380  * Another purpose of this testing is to detect issues with the architecture's
381  * irq_fpu_usable() and kernel_fpu_begin/end() or equivalent functions,
382  * especially in softirq context when the softirq may have interrupted a task
383  * already using kernel-mode FPU or vector (if the arch didn't prevent that).
384  * Crypto functions are often executed in softirqs, so this is important.
385  */
386 static void run_irq_test(struct kunit *test, bool (*func)(void *),
387 			 int max_iterations, void *test_specific_state)
388 {
389 	struct hash_irq_test_state state = {
390 		.func = func,
391 		.test_specific_state = test_specific_state,
392 	};
393 	unsigned long end_jiffies;
394 
395 	/*
396 	 * Set up a hrtimer (the way we access hardirq context) and a work
397 	 * struct for the BH workqueue (the way we access softirq context).
398 	 */
399 	hrtimer_setup_on_stack(&state.timer, hash_irq_test_timer_func,
400 			       CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD);
401 	INIT_WORK_ONSTACK(&state.bh_work, hash_irq_test_bh_work_func);
402 
403 	/* Run for up to max_iterations or 1 second, whichever comes first. */
404 	end_jiffies = jiffies + HZ;
405 	hrtimer_start(&state.timer, IRQ_TEST_HRTIMER_INTERVAL,
406 		      HRTIMER_MODE_REL_HARD);
407 	for (int i = 0; i < max_iterations && !time_after(jiffies, end_jiffies);
408 	     i++) {
409 		if (!func(test_specific_state))
410 			state.task_func_reported_failure = true;
411 	}
412 
413 	/* Cancel the timer and work. */
414 	hrtimer_cancel(&state.timer);
415 	flush_work(&state.bh_work);
416 
417 	/* Sanity check: the timer and BH functions should have been run. */
418 	KUNIT_EXPECT_GT_MSG(test, state.hardirq_func_calls, 0,
419 			    "Timer function was not called");
420 	KUNIT_EXPECT_GT_MSG(test, state.softirq_func_calls, 0,
421 			    "BH work function was not called");
422 
423 	/* Check for incorrect hash values reported from any context. */
424 	KUNIT_EXPECT_FALSE_MSG(
425 		test, state.task_func_reported_failure,
426 		"Incorrect hash values reported from task context");
427 	KUNIT_EXPECT_FALSE_MSG(
428 		test, state.hardirq_func_reported_failure,
429 		"Incorrect hash values reported from hardirq context");
430 	KUNIT_EXPECT_FALSE_MSG(
431 		test, state.softirq_func_reported_failure,
432 		"Incorrect hash values reported from softirq context");
433 }
434 
435 #define IRQ_TEST_DATA_LEN 256
436 #define IRQ_TEST_NUM_BUFFERS 3 /* matches max concurrency level */
437 
438 struct hash_irq_test1_state {
439 	u8 expected_hashes[IRQ_TEST_NUM_BUFFERS][HASH_SIZE];
440 	atomic_t seqno;
441 };
442 
443 /*
444  * Compute the hash of one of the test messages and verify that it matches the
445  * expected hash from @state->expected_hashes.  To increase the chance of
446  * detecting problems, cycle through multiple messages.
447  */
448 static bool hash_irq_test1_func(void *state_)
449 {
450 	struct hash_irq_test1_state *state = state_;
451 	u32 i = (u32)atomic_inc_return(&state->seqno) % IRQ_TEST_NUM_BUFFERS;
452 	u8 actual_hash[HASH_SIZE];
453 
454 	HASH(&test_buf[i * IRQ_TEST_DATA_LEN], IRQ_TEST_DATA_LEN, actual_hash);
455 	return memcmp(actual_hash, state->expected_hashes[i], HASH_SIZE) == 0;
456 }
457 
458 /*
459  * Test that if hashes are computed in task, softirq, and hardirq context
460  * concurrently, then all results are as expected.
461  */
462 static void test_hash_interrupt_context_1(struct kunit *test)
463 {
464 	struct hash_irq_test1_state state = {};
465 
466 	/* Prepare some test messages and compute the expected hash of each. */
467 	rand_bytes(test_buf, IRQ_TEST_NUM_BUFFERS * IRQ_TEST_DATA_LEN);
468 	for (int i = 0; i < IRQ_TEST_NUM_BUFFERS; i++)
469 		HASH(&test_buf[i * IRQ_TEST_DATA_LEN], IRQ_TEST_DATA_LEN,
470 		     state.expected_hashes[i]);
471 
472 	run_irq_test(test, hash_irq_test1_func, 100000, &state);
473 }
474 
475 struct hash_irq_test2_hash_ctx {
476 	struct HASH_CTX hash_ctx;
477 	atomic_t in_use;
478 	int offset;
479 	int step;
480 };
481 
482 struct hash_irq_test2_state {
483 	struct hash_irq_test2_hash_ctx ctxs[IRQ_TEST_NUM_BUFFERS];
484 	u8 expected_hash[HASH_SIZE];
485 	u16 update_lens[32];
486 	int num_steps;
487 };
488 
489 static bool hash_irq_test2_func(void *state_)
490 {
491 	struct hash_irq_test2_state *state = state_;
492 	struct hash_irq_test2_hash_ctx *ctx;
493 	bool ret = true;
494 
495 	for (ctx = &state->ctxs[0]; ctx < &state->ctxs[ARRAY_SIZE(state->ctxs)];
496 	     ctx++) {
497 		if (atomic_cmpxchg(&ctx->in_use, 0, 1) == 0)
498 			break;
499 	}
500 	if (WARN_ON_ONCE(ctx == &state->ctxs[ARRAY_SIZE(state->ctxs)])) {
501 		/*
502 		 * This should never happen, as the number of contexts is equal
503 		 * to the maximum concurrency level of run_irq_test().
504 		 */
505 		return false;
506 	}
507 
508 	if (ctx->step == 0) {
509 		/* Init step */
510 		HASH_INIT(&ctx->hash_ctx);
511 		ctx->offset = 0;
512 		ctx->step++;
513 	} else if (ctx->step < state->num_steps - 1) {
514 		/* Update step */
515 		HASH_UPDATE(&ctx->hash_ctx, &test_buf[ctx->offset],
516 			    state->update_lens[ctx->step - 1]);
517 		ctx->offset += state->update_lens[ctx->step - 1];
518 		ctx->step++;
519 	} else {
520 		/* Final step */
521 		u8 actual_hash[HASH_SIZE];
522 
523 		if (WARN_ON_ONCE(ctx->offset != TEST_BUF_LEN))
524 			ret = false;
525 		HASH_FINAL(&ctx->hash_ctx, actual_hash);
526 		if (memcmp(actual_hash, state->expected_hash, HASH_SIZE) != 0)
527 			ret = false;
528 		ctx->step = 0;
529 	}
530 	atomic_set_release(&ctx->in_use, 0);
531 	return ret;
532 }
533 
534 /*
535  * Test that if hashes are computed in task, softirq, and hardirq context
536  * concurrently, *including doing different parts of the same incremental
537  * computation in different contexts*, then all results are as expected.
538  * Besides detecting bugs similar to those that test_hash_interrupt_context_1
539  * can detect, this test case can also detect bugs where hash function
540  * implementations don't correctly handle these mixed incremental computations.
541  */
542 static void test_hash_interrupt_context_2(struct kunit *test)
543 {
544 	struct hash_irq_test2_state *state;
545 	int remaining = TEST_BUF_LEN;
546 
547 	state = kunit_kzalloc(test, sizeof(*state), GFP_KERNEL);
548 	KUNIT_ASSERT_NOT_NULL(test, state);
549 
550 	rand_bytes(test_buf, TEST_BUF_LEN);
551 	HASH(test_buf, TEST_BUF_LEN, state->expected_hash);
552 
553 	/*
554 	 * Generate a list of update lengths to use.  Ensure that it contains
555 	 * multiple entries but is limited to a maximum length.
556 	 */
557 	static_assert(TEST_BUF_LEN / 4096 > 1);
558 	for (state->num_steps = 0;
559 	     state->num_steps < ARRAY_SIZE(state->update_lens) - 1 && remaining;
560 	     state->num_steps++) {
561 		state->update_lens[state->num_steps] =
562 			rand_length(min(remaining, 4096));
563 		remaining -= state->update_lens[state->num_steps];
564 	}
565 	if (remaining)
566 		state->update_lens[state->num_steps++] = remaining;
567 	state->num_steps += 2; /* for init and final */
568 
569 	run_irq_test(test, hash_irq_test2_func, 250000, state);
570 }
571 
572 #define UNKEYED_HASH_KUNIT_CASES                     \
573 	KUNIT_CASE(test_hash_test_vectors),          \
574 	KUNIT_CASE(test_hash_all_lens_up_to_4096),   \
575 	KUNIT_CASE(test_hash_incremental_updates),   \
576 	KUNIT_CASE(test_hash_buffer_overruns),       \
577 	KUNIT_CASE(test_hash_overlaps),              \
578 	KUNIT_CASE(test_hash_alignment_consistency), \
579 	KUNIT_CASE(test_hash_ctx_zeroization),       \
580 	KUNIT_CASE(test_hash_interrupt_context_1),   \
581 	KUNIT_CASE(test_hash_interrupt_context_2)
582 /* benchmark_hash is omitted so that the suites can put it last. */
583 
584 #ifdef HMAC
585 /*
586  * Test the corresponding HMAC variant.
587  *
588  * This test case is fairly short, since HMAC is just a simple C wrapper around
589  * the underlying unkeyed hash function, which is already well-tested by the
590  * other test cases.  It's not useful to test things like data alignment or
591  * interrupt context again for HMAC, nor to have a long list of test vectors.
592  *
593  * Thus, just do a single consolidated test, which covers all data lengths up to
594  * 4096 bytes and all key lengths up to 292 bytes.  For each data length, select
595  * a key length, generate the inputs from a seed, and compute the HMAC value.
596  * Concatenate all these HMAC values together, and compute the HMAC of that.
597  * Verify that value.  If this fails, then the HMAC implementation is wrong.
598  * This won't show which specific input failed, but that should be fine.  Any
599  * failure would likely be non-input-specific or also show in the unkeyed tests.
600  */
601 static void test_hmac(struct kunit *test)
602 {
603 	static const u8 zeroes[sizeof(struct HMAC_CTX)];
604 	u8 *raw_key;
605 	struct HMAC_KEY key;
606 	struct HMAC_CTX ctx;
607 	u8 mac[HASH_SIZE];
608 	u8 mac2[HASH_SIZE];
609 
610 	static_assert(TEST_BUF_LEN >= 4096 + 293);
611 	rand_bytes_seeded_from_len(test_buf, 4096);
612 	raw_key = &test_buf[4096];
613 
614 	rand_bytes_seeded_from_len(raw_key, 32);
615 	HMAC_PREPAREKEY(&key, raw_key, 32);
616 	HMAC_INIT(&ctx, &key);
617 	for (size_t data_len = 0; data_len <= 4096; data_len++) {
618 		/*
619 		 * Cycle through key lengths as well.  Somewhat arbitrarily go
620 		 * up to 293, which is somewhat larger than the largest hash
621 		 * block size (which is the size at which the key starts being
622 		 * hashed down to one block); going higher would not be useful.
623 		 * To reduce correlation with data_len, use a prime number here.
624 		 */
625 		size_t key_len = data_len % 293;
626 
627 		HMAC_UPDATE(&ctx, test_buf, data_len);
628 
629 		rand_bytes_seeded_from_len(raw_key, key_len);
630 		HMAC_USINGRAWKEY(raw_key, key_len, test_buf, data_len, mac);
631 		HMAC_UPDATE(&ctx, mac, HASH_SIZE);
632 
633 		/* Verify that HMAC() is consistent with HMAC_USINGRAWKEY(). */
634 		HMAC_PREPAREKEY(&key, raw_key, key_len);
635 		HMAC(&key, test_buf, data_len, mac2);
636 		KUNIT_ASSERT_MEMEQ_MSG(
637 			test, mac, mac2, HASH_SIZE,
638 			"HMAC gave different results with raw and prepared keys");
639 	}
640 	HMAC_FINAL(&ctx, mac);
641 	KUNIT_EXPECT_MEMEQ_MSG(test, mac, hmac_testvec_consolidated, HASH_SIZE,
642 			       "HMAC gave wrong result");
643 	KUNIT_EXPECT_MEMEQ_MSG(test, &ctx, zeroes, sizeof(ctx),
644 			       "HMAC context was not zeroized by finalization");
645 }
646 #define HASH_KUNIT_CASES UNKEYED_HASH_KUNIT_CASES, KUNIT_CASE(test_hmac)
647 #else
648 #define HASH_KUNIT_CASES UNKEYED_HASH_KUNIT_CASES
649 #endif
650 
651 /* Benchmark the hash function on various data lengths. */
652 static void benchmark_hash(struct kunit *test)
653 {
654 	static const size_t lens_to_test[] = {
655 		1,   16,  64,	127,  128,  200,   256,
656 		511, 512, 1024, 3173, 4096, 16384,
657 	};
658 	u8 hash[HASH_SIZE];
659 
660 	if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK))
661 		kunit_skip(test, "not enabled");
662 
663 	/* Warm-up */
664 	for (size_t i = 0; i < 10000000; i += TEST_BUF_LEN)
665 		HASH(test_buf, TEST_BUF_LEN, hash);
666 
667 	for (size_t i = 0; i < ARRAY_SIZE(lens_to_test); i++) {
668 		size_t len = lens_to_test[i];
669 		/* The '+ 128' tries to account for per-message overhead. */
670 		size_t num_iters = 10000000 / (len + 128);
671 		u64 t;
672 
673 		KUNIT_ASSERT_LE(test, len, TEST_BUF_LEN);
674 		preempt_disable();
675 		t = ktime_get_ns();
676 		for (size_t j = 0; j < num_iters; j++)
677 			HASH(test_buf, len, hash);
678 		t = ktime_get_ns() - t;
679 		preempt_enable();
680 		kunit_info(test, "len=%zu: %llu MB/s", len,
681 			   div64_u64((u64)len * num_iters * 1000, t ?: 1));
682 	}
683 }
684