xref: /linux/lib/crypto/tests/polyval_kunit.c (revision b3aed551b3fca753469520c95b6f4c61ada028d3) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright 2025 Google LLC
4  */
5 #include <crypto/polyval.h>
6 #include "polyval-testvecs.h"
7 
8 /*
9  * A fixed key used when presenting POLYVAL as an unkeyed hash function in order
10  * to reuse hash-test-template.h.  At the beginning of the test suite, this is
11  * initialized to a key prepared from bytes generated from a fixed seed.
12  */
13 static struct polyval_key test_key;
14 
15 static void polyval_init_withtestkey(struct polyval_ctx *ctx)
16 {
17 	polyval_init(ctx, &test_key);
18 }
19 
20 static void polyval_withtestkey(const u8 *data, size_t len,
21 				u8 out[POLYVAL_BLOCK_SIZE])
22 {
23 	polyval(&test_key, data, len, out);
24 }
25 
26 /* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
27 #define HASH polyval_withtestkey
28 #define HASH_CTX polyval_ctx
29 #define HASH_SIZE POLYVAL_BLOCK_SIZE
30 #define HASH_INIT polyval_init_withtestkey
31 #define HASH_UPDATE polyval_update
32 #define HASH_FINAL polyval_final
33 #include "hash-test-template.h"
34 
35 /*
36  * Test an example from RFC8452 ("AES-GCM-SIV: Nonce Misuse-Resistant
37  * Authenticated Encryption") to ensure compatibility with that.
38  */
39 static void test_polyval_rfc8452_testvec(struct kunit *test)
40 {
41 	static const u8 raw_key[POLYVAL_BLOCK_SIZE] =
42 		"\x31\x07\x28\xd9\x91\x1f\x1f\x38"
43 		"\x37\xb2\x43\x16\xc3\xfa\xb9\xa0";
44 	static const u8 data[48] =
45 		"\x65\x78\x61\x6d\x70\x6c\x65\x00"
46 		"\x00\x00\x00\x00\x00\x00\x00\x00"
47 		"\x48\x65\x6c\x6c\x6f\x20\x77\x6f"
48 		"\x72\x6c\x64\x00\x00\x00\x00\x00"
49 		"\x38\x00\x00\x00\x00\x00\x00\x00"
50 		"\x58\x00\x00\x00\x00\x00\x00\x00";
51 	static const u8 expected_hash[POLYVAL_BLOCK_SIZE] =
52 		"\xad\x7f\xcf\x0b\x51\x69\x85\x16"
53 		"\x62\x67\x2f\x3c\x5f\x95\x13\x8f";
54 	u8 hash[POLYVAL_BLOCK_SIZE];
55 	struct polyval_key key;
56 
57 	polyval_preparekey(&key, raw_key);
58 	polyval(&key, data, sizeof(data), hash);
59 	KUNIT_ASSERT_MEMEQ(test, hash, expected_hash, sizeof(hash));
60 }
61 
62 /*
63  * Test a key and messages containing all one bits.  This is useful to detect
64  * overflow bugs in implementations that emulate carryless multiplication using
65  * a series of standard multiplications with the bits spread out.
66  */
67 static void test_polyval_allones_key_and_message(struct kunit *test)
68 {
69 	struct polyval_key key;
70 	struct polyval_ctx hashofhashes_ctx;
71 	u8 hash[POLYVAL_BLOCK_SIZE];
72 
73 	static_assert(TEST_BUF_LEN >= 4096);
74 	memset(test_buf, 0xff, 4096);
75 
76 	polyval_preparekey(&key, test_buf);
77 	polyval_init(&hashofhashes_ctx, &key);
78 	for (size_t len = 0; len <= 4096; len += 16) {
79 		polyval(&key, test_buf, len, hash);
80 		polyval_update(&hashofhashes_ctx, hash, sizeof(hash));
81 	}
82 	polyval_final(&hashofhashes_ctx, hash);
83 	KUNIT_ASSERT_MEMEQ(test, hash, polyval_allones_hashofhashes,
84 			   sizeof(hash));
85 }
86 
87 #define MAX_LEN_FOR_KEY_CHECK 1024
88 
89 /*
90  * Given two prepared keys which should be identical (but may differ in
91  * alignment and/or whether they are followed by a guard page or not), verify
92  * that they produce consistent results on various data lengths.
93  */
94 static void check_key_consistency(struct kunit *test,
95 				  const struct polyval_key *key1,
96 				  const struct polyval_key *key2)
97 {
98 	u8 *data = test_buf;
99 	u8 hash1[POLYVAL_BLOCK_SIZE];
100 	u8 hash2[POLYVAL_BLOCK_SIZE];
101 
102 	rand_bytes(data, MAX_LEN_FOR_KEY_CHECK);
103 	KUNIT_ASSERT_MEMEQ(test, key1, key2, sizeof(*key1));
104 
105 	for (int i = 0; i < 100; i++) {
106 		size_t len = rand_length(MAX_LEN_FOR_KEY_CHECK);
107 
108 		polyval(key1, data, len, hash1);
109 		polyval(key2, data, len, hash2);
110 		KUNIT_ASSERT_MEMEQ(test, hash1, hash2, sizeof(hash1));
111 	}
112 }
113 
114 /* Test that no buffer overreads occur on either raw_key or polyval_key. */
115 static void test_polyval_with_guarded_key(struct kunit *test)
116 {
117 	u8 raw_key[POLYVAL_BLOCK_SIZE];
118 	u8 *guarded_raw_key = &test_buf[TEST_BUF_LEN - sizeof(raw_key)];
119 	struct polyval_key key1, key2;
120 	struct polyval_key *guarded_key =
121 		(struct polyval_key *)&test_buf[TEST_BUF_LEN - sizeof(key1)];
122 
123 	/* Prepare with regular buffers. */
124 	rand_bytes(raw_key, sizeof(raw_key));
125 	polyval_preparekey(&key1, raw_key);
126 
127 	/* Prepare with guarded raw_key, then check that it works. */
128 	memcpy(guarded_raw_key, raw_key, sizeof(raw_key));
129 	polyval_preparekey(&key2, guarded_raw_key);
130 	check_key_consistency(test, &key1, &key2);
131 
132 	/* Prepare guarded polyval_key, then check that it works. */
133 	polyval_preparekey(guarded_key, raw_key);
134 	check_key_consistency(test, &key1, guarded_key);
135 }
136 
137 /*
138  * Test that polyval_key only needs to be aligned to
139  * __alignof__(struct polyval_key), i.e. 8 bytes.  The assembly code may prefer
140  * 16-byte or higher alignment, but it musn't require it.
141  */
142 static void test_polyval_with_minimally_aligned_key(struct kunit *test)
143 {
144 	u8 raw_key[POLYVAL_BLOCK_SIZE];
145 	struct polyval_key key;
146 	struct polyval_key *minaligned_key =
147 		(struct polyval_key *)&test_buf[MAX_LEN_FOR_KEY_CHECK +
148 						__alignof__(struct polyval_key)];
149 
150 	KUNIT_ASSERT_TRUE(test, IS_ALIGNED((uintptr_t)minaligned_key,
151 					   __alignof__(struct polyval_key)));
152 	KUNIT_ASSERT_TRUE(test,
153 			  !IS_ALIGNED((uintptr_t)minaligned_key,
154 				      2 * __alignof__(struct polyval_key)));
155 
156 	rand_bytes(raw_key, sizeof(raw_key));
157 	polyval_preparekey(&key, raw_key);
158 	polyval_preparekey(minaligned_key, raw_key);
159 	check_key_consistency(test, &key, minaligned_key);
160 }
161 
162 struct polyval_irq_test_state {
163 	struct polyval_key expected_key;
164 	u8 raw_key[POLYVAL_BLOCK_SIZE];
165 };
166 
167 static bool polyval_irq_test_func(void *state_)
168 {
169 	struct polyval_irq_test_state *state = state_;
170 	struct polyval_key key;
171 
172 	polyval_preparekey(&key, state->raw_key);
173 	return memcmp(&key, &state->expected_key, sizeof(key)) == 0;
174 }
175 
176 /*
177  * Test that polyval_preparekey() produces the same output regardless of whether
178  * FPU or vector registers are usable when it is called.
179  */
180 static void test_polyval_preparekey_in_irqs(struct kunit *test)
181 {
182 	struct polyval_irq_test_state state;
183 
184 	rand_bytes(state.raw_key, sizeof(state.raw_key));
185 	polyval_preparekey(&state.expected_key, state.raw_key);
186 	kunit_run_irq_test(test, polyval_irq_test_func, 20000, &state);
187 }
188 
189 static int polyval_suite_init(struct kunit_suite *suite)
190 {
191 	u8 raw_key[POLYVAL_BLOCK_SIZE];
192 
193 	rand_bytes_seeded_from_len(raw_key, sizeof(raw_key));
194 	polyval_preparekey(&test_key, raw_key);
195 	return hash_suite_init(suite);
196 }
197 
198 static void polyval_suite_exit(struct kunit_suite *suite)
199 {
200 	hash_suite_exit(suite);
201 }
202 
203 static struct kunit_case polyval_test_cases[] = {
204 	HASH_KUNIT_CASES,
205 	KUNIT_CASE(test_polyval_rfc8452_testvec),
206 	KUNIT_CASE(test_polyval_allones_key_and_message),
207 	KUNIT_CASE(test_polyval_with_guarded_key),
208 	KUNIT_CASE(test_polyval_with_minimally_aligned_key),
209 	KUNIT_CASE(test_polyval_preparekey_in_irqs),
210 	KUNIT_CASE(benchmark_hash),
211 	{},
212 };
213 
214 static struct kunit_suite polyval_test_suite = {
215 	.name = "polyval",
216 	.test_cases = polyval_test_cases,
217 	.suite_init = polyval_suite_init,
218 	.suite_exit = polyval_suite_exit,
219 };
220 kunit_test_suite(polyval_test_suite);
221 
222 MODULE_DESCRIPTION("KUnit tests and benchmark for POLYVAL");
223 MODULE_LICENSE("GPL");
224