1*6dd4d9f7SEric Biggers // SPDX-License-Identifier: GPL-2.0-or-later
2*6dd4d9f7SEric Biggers /*
3*6dd4d9f7SEric Biggers * Copyright 2025 Google LLC
4*6dd4d9f7SEric Biggers */
5*6dd4d9f7SEric Biggers #include <crypto/poly1305.h>
6*6dd4d9f7SEric Biggers #include "poly1305-testvecs.h"
7*6dd4d9f7SEric Biggers
8*6dd4d9f7SEric Biggers /*
9*6dd4d9f7SEric Biggers * A fixed key used when presenting Poly1305 as an unkeyed hash function in
10*6dd4d9f7SEric Biggers * order to reuse hash-test-template.h. At the beginning of the test suite,
11*6dd4d9f7SEric Biggers * this is initialized to bytes generated from a fixed seed.
12*6dd4d9f7SEric Biggers */
13*6dd4d9f7SEric Biggers static u8 test_key[POLY1305_KEY_SIZE];
14*6dd4d9f7SEric Biggers
15*6dd4d9f7SEric Biggers /* This probably should be in the actual API, but just define it here for now */
poly1305(const u8 key[POLY1305_KEY_SIZE],const u8 * data,size_t len,u8 out[POLY1305_DIGEST_SIZE])16*6dd4d9f7SEric Biggers static void poly1305(const u8 key[POLY1305_KEY_SIZE], const u8 *data,
17*6dd4d9f7SEric Biggers size_t len, u8 out[POLY1305_DIGEST_SIZE])
18*6dd4d9f7SEric Biggers {
19*6dd4d9f7SEric Biggers struct poly1305_desc_ctx ctx;
20*6dd4d9f7SEric Biggers
21*6dd4d9f7SEric Biggers poly1305_init(&ctx, key);
22*6dd4d9f7SEric Biggers poly1305_update(&ctx, data, len);
23*6dd4d9f7SEric Biggers poly1305_final(&ctx, out);
24*6dd4d9f7SEric Biggers }
25*6dd4d9f7SEric Biggers
poly1305_init_withtestkey(struct poly1305_desc_ctx * ctx)26*6dd4d9f7SEric Biggers static void poly1305_init_withtestkey(struct poly1305_desc_ctx *ctx)
27*6dd4d9f7SEric Biggers {
28*6dd4d9f7SEric Biggers poly1305_init(ctx, test_key);
29*6dd4d9f7SEric Biggers }
30*6dd4d9f7SEric Biggers
poly1305_withtestkey(const u8 * data,size_t len,u8 out[POLY1305_DIGEST_SIZE])31*6dd4d9f7SEric Biggers static void poly1305_withtestkey(const u8 *data, size_t len,
32*6dd4d9f7SEric Biggers u8 out[POLY1305_DIGEST_SIZE])
33*6dd4d9f7SEric Biggers {
34*6dd4d9f7SEric Biggers poly1305(test_key, data, len, out);
35*6dd4d9f7SEric Biggers }
36*6dd4d9f7SEric Biggers
37*6dd4d9f7SEric Biggers /* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
38*6dd4d9f7SEric Biggers #define HASH poly1305_withtestkey
39*6dd4d9f7SEric Biggers #define HASH_CTX poly1305_desc_ctx
40*6dd4d9f7SEric Biggers #define HASH_SIZE POLY1305_DIGEST_SIZE
41*6dd4d9f7SEric Biggers #define HASH_INIT poly1305_init_withtestkey
42*6dd4d9f7SEric Biggers #define HASH_UPDATE poly1305_update
43*6dd4d9f7SEric Biggers #define HASH_FINAL poly1305_final
44*6dd4d9f7SEric Biggers #include "hash-test-template.h"
45*6dd4d9f7SEric Biggers
poly1305_suite_init(struct kunit_suite * suite)46*6dd4d9f7SEric Biggers static int poly1305_suite_init(struct kunit_suite *suite)
47*6dd4d9f7SEric Biggers {
48*6dd4d9f7SEric Biggers rand_bytes_seeded_from_len(test_key, POLY1305_KEY_SIZE);
49*6dd4d9f7SEric Biggers return hash_suite_init(suite);
50*6dd4d9f7SEric Biggers }
51*6dd4d9f7SEric Biggers
poly1305_suite_exit(struct kunit_suite * suite)52*6dd4d9f7SEric Biggers static void poly1305_suite_exit(struct kunit_suite *suite)
53*6dd4d9f7SEric Biggers {
54*6dd4d9f7SEric Biggers hash_suite_exit(suite);
55*6dd4d9f7SEric Biggers }
56*6dd4d9f7SEric Biggers
57*6dd4d9f7SEric Biggers /*
58*6dd4d9f7SEric Biggers * Poly1305 test case which uses a key and message consisting only of one bits:
59*6dd4d9f7SEric Biggers *
60*6dd4d9f7SEric Biggers * - Using an all-one-bits r_key tests the key clamping.
61*6dd4d9f7SEric Biggers * - Using an all-one-bits s_key tests carries in implementations of the
62*6dd4d9f7SEric Biggers * addition mod 2**128 during finalization.
63*6dd4d9f7SEric Biggers * - Using all-one-bits message, and to a lesser extent r_key, tends to maximize
64*6dd4d9f7SEric Biggers * any intermediate accumulator values. This increases the chance of
65*6dd4d9f7SEric Biggers * detecting bugs that occur only in rare cases where the accumulator values
66*6dd4d9f7SEric Biggers * get very large, for example the bug fixed by commit 678cce4019d746da
67*6dd4d9f7SEric Biggers * ("crypto: x86/poly1305 - fix overflow during partial reduction").
68*6dd4d9f7SEric Biggers *
69*6dd4d9f7SEric Biggers * Accumulator overflow bugs may be specific to particular update lengths (in
70*6dd4d9f7SEric Biggers * blocks) and/or particular values of the previous acculumator. Note that the
71*6dd4d9f7SEric Biggers * accumulator starts at 0 which gives the lowest chance of an overflow. Thus,
72*6dd4d9f7SEric Biggers * a single all-one-bits test vector may be insufficient.
73*6dd4d9f7SEric Biggers *
74*6dd4d9f7SEric Biggers * Considering that, do the following test: continuously update a single
75*6dd4d9f7SEric Biggers * Poly1305 context with all-one-bits data of varying lengths (0, 16, 32, ...,
76*6dd4d9f7SEric Biggers * 4096 bytes). After each update, generate the MAC from the current context,
77*6dd4d9f7SEric Biggers * and feed that MAC into a separate Poly1305 context. Repeat that entire
78*6dd4d9f7SEric Biggers * sequence of updates 32 times without re-initializing either context,
79*6dd4d9f7SEric Biggers * resulting in a total of 8224 MAC computations from a long-running, cumulative
80*6dd4d9f7SEric Biggers * context. Finally, generate and verify the MAC of all the MACs.
81*6dd4d9f7SEric Biggers */
test_poly1305_allones_keys_and_message(struct kunit * test)82*6dd4d9f7SEric Biggers static void test_poly1305_allones_keys_and_message(struct kunit *test)
83*6dd4d9f7SEric Biggers {
84*6dd4d9f7SEric Biggers struct poly1305_desc_ctx mac_ctx, macofmacs_ctx;
85*6dd4d9f7SEric Biggers u8 mac[POLY1305_DIGEST_SIZE];
86*6dd4d9f7SEric Biggers
87*6dd4d9f7SEric Biggers static_assert(TEST_BUF_LEN >= 4096);
88*6dd4d9f7SEric Biggers memset(test_buf, 0xff, 4096);
89*6dd4d9f7SEric Biggers
90*6dd4d9f7SEric Biggers poly1305_init(&mac_ctx, test_buf);
91*6dd4d9f7SEric Biggers poly1305_init(&macofmacs_ctx, test_buf);
92*6dd4d9f7SEric Biggers for (int i = 0; i < 32; i++) {
93*6dd4d9f7SEric Biggers for (size_t len = 0; len <= 4096; len += 16) {
94*6dd4d9f7SEric Biggers struct poly1305_desc_ctx tmp_ctx;
95*6dd4d9f7SEric Biggers
96*6dd4d9f7SEric Biggers poly1305_update(&mac_ctx, test_buf, len);
97*6dd4d9f7SEric Biggers tmp_ctx = mac_ctx;
98*6dd4d9f7SEric Biggers poly1305_final(&tmp_ctx, mac);
99*6dd4d9f7SEric Biggers poly1305_update(&macofmacs_ctx, mac,
100*6dd4d9f7SEric Biggers POLY1305_DIGEST_SIZE);
101*6dd4d9f7SEric Biggers }
102*6dd4d9f7SEric Biggers }
103*6dd4d9f7SEric Biggers poly1305_final(&macofmacs_ctx, mac);
104*6dd4d9f7SEric Biggers KUNIT_ASSERT_MEMEQ(test, mac, poly1305_allones_macofmacs,
105*6dd4d9f7SEric Biggers POLY1305_DIGEST_SIZE);
106*6dd4d9f7SEric Biggers }
107*6dd4d9f7SEric Biggers
108*6dd4d9f7SEric Biggers /*
109*6dd4d9f7SEric Biggers * Poly1305 test case which uses r_key=1, s_key=0, and a 48-byte message
110*6dd4d9f7SEric Biggers * consisting of three blocks with integer values [2**128 - i, 0, 0]. In this
111*6dd4d9f7SEric Biggers * case, the result of the polynomial evaluation is 2**130 - i. For small
112*6dd4d9f7SEric Biggers * values of i, this is very close to the modulus 2**130 - 5, which helps catch
113*6dd4d9f7SEric Biggers * edge case bugs in the modular reduction logic.
114*6dd4d9f7SEric Biggers */
test_poly1305_reduction_edge_cases(struct kunit * test)115*6dd4d9f7SEric Biggers static void test_poly1305_reduction_edge_cases(struct kunit *test)
116*6dd4d9f7SEric Biggers {
117*6dd4d9f7SEric Biggers static const u8 key[POLY1305_KEY_SIZE] = { 1 }; /* r_key=1, s_key=0 */
118*6dd4d9f7SEric Biggers u8 data[3 * POLY1305_BLOCK_SIZE] = {};
119*6dd4d9f7SEric Biggers u8 expected_mac[POLY1305_DIGEST_SIZE];
120*6dd4d9f7SEric Biggers u8 actual_mac[POLY1305_DIGEST_SIZE];
121*6dd4d9f7SEric Biggers
122*6dd4d9f7SEric Biggers for (int i = 1; i <= 10; i++) {
123*6dd4d9f7SEric Biggers /* Set the first data block to 2**128 - i. */
124*6dd4d9f7SEric Biggers data[0] = -i;
125*6dd4d9f7SEric Biggers memset(&data[1], 0xff, POLY1305_BLOCK_SIZE - 1);
126*6dd4d9f7SEric Biggers
127*6dd4d9f7SEric Biggers /*
128*6dd4d9f7SEric Biggers * Assuming s_key=0, the expected MAC as an integer is
129*6dd4d9f7SEric Biggers * (2**130 - i mod 2**130 - 5) + 0 mod 2**128. If 1 <= i <= 5,
130*6dd4d9f7SEric Biggers * that's 5 - i. If 6 <= i <= 10, that's 2**128 - i.
131*6dd4d9f7SEric Biggers */
132*6dd4d9f7SEric Biggers if (i <= 5) {
133*6dd4d9f7SEric Biggers expected_mac[0] = 5 - i;
134*6dd4d9f7SEric Biggers memset(&expected_mac[1], 0, POLY1305_DIGEST_SIZE - 1);
135*6dd4d9f7SEric Biggers } else {
136*6dd4d9f7SEric Biggers expected_mac[0] = -i;
137*6dd4d9f7SEric Biggers memset(&expected_mac[1], 0xff,
138*6dd4d9f7SEric Biggers POLY1305_DIGEST_SIZE - 1);
139*6dd4d9f7SEric Biggers }
140*6dd4d9f7SEric Biggers
141*6dd4d9f7SEric Biggers /* Compute and verify the MAC. */
142*6dd4d9f7SEric Biggers poly1305(key, data, sizeof(data), actual_mac);
143*6dd4d9f7SEric Biggers KUNIT_ASSERT_MEMEQ(test, actual_mac, expected_mac,
144*6dd4d9f7SEric Biggers POLY1305_DIGEST_SIZE);
145*6dd4d9f7SEric Biggers }
146*6dd4d9f7SEric Biggers }
147*6dd4d9f7SEric Biggers
148*6dd4d9f7SEric Biggers static struct kunit_case poly1305_test_cases[] = {
149*6dd4d9f7SEric Biggers HASH_KUNIT_CASES,
150*6dd4d9f7SEric Biggers KUNIT_CASE(test_poly1305_allones_keys_and_message),
151*6dd4d9f7SEric Biggers KUNIT_CASE(test_poly1305_reduction_edge_cases),
152*6dd4d9f7SEric Biggers KUNIT_CASE(benchmark_hash),
153*6dd4d9f7SEric Biggers {},
154*6dd4d9f7SEric Biggers };
155*6dd4d9f7SEric Biggers
156*6dd4d9f7SEric Biggers static struct kunit_suite poly1305_test_suite = {
157*6dd4d9f7SEric Biggers .name = "poly1305",
158*6dd4d9f7SEric Biggers .test_cases = poly1305_test_cases,
159*6dd4d9f7SEric Biggers .suite_init = poly1305_suite_init,
160*6dd4d9f7SEric Biggers .suite_exit = poly1305_suite_exit,
161*6dd4d9f7SEric Biggers };
162*6dd4d9f7SEric Biggers kunit_test_suite(poly1305_test_suite);
163*6dd4d9f7SEric Biggers
164*6dd4d9f7SEric Biggers MODULE_DESCRIPTION("KUnit tests and benchmark for Poly1305");
165*6dd4d9f7SEric Biggers MODULE_LICENSE("GPL");
166