poly1305_kunit.c 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * Copyright 2025 Google LLC
  4. */
  5. #include <crypto/poly1305.h>
  6. #include "poly1305-testvecs.h"
  7. /*
  8. * A fixed key used when presenting Poly1305 as an unkeyed hash function in
  9. * order to reuse hash-test-template.h. At the beginning of the test suite,
  10. * this is initialized to bytes generated from a fixed seed.
  11. */
  12. static u8 test_key[POLY1305_KEY_SIZE];
  13. /* This probably should be in the actual API, but just define it here for now */
  14. static void poly1305(const u8 key[POLY1305_KEY_SIZE], const u8 *data,
  15. size_t len, u8 out[POLY1305_DIGEST_SIZE])
  16. {
  17. struct poly1305_desc_ctx ctx;
  18. poly1305_init(&ctx, key);
  19. poly1305_update(&ctx, data, len);
  20. poly1305_final(&ctx, out);
  21. }
  22. static void poly1305_init_withtestkey(struct poly1305_desc_ctx *ctx)
  23. {
  24. poly1305_init(ctx, test_key);
  25. }
  26. static void poly1305_withtestkey(const u8 *data, size_t len,
  27. u8 out[POLY1305_DIGEST_SIZE])
  28. {
  29. poly1305(test_key, data, len, out);
  30. }
  31. /* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
  32. #define HASH poly1305_withtestkey
  33. #define HASH_CTX poly1305_desc_ctx
  34. #define HASH_SIZE POLY1305_DIGEST_SIZE
  35. #define HASH_INIT poly1305_init_withtestkey
  36. #define HASH_UPDATE poly1305_update
  37. #define HASH_FINAL poly1305_final
  38. #include "hash-test-template.h"
  39. static int poly1305_suite_init(struct kunit_suite *suite)
  40. {
  41. rand_bytes_seeded_from_len(test_key, POLY1305_KEY_SIZE);
  42. return hash_suite_init(suite);
  43. }
  44. static void poly1305_suite_exit(struct kunit_suite *suite)
  45. {
  46. hash_suite_exit(suite);
  47. }
  48. /*
  49. * Poly1305 test case which uses a key and message consisting only of one bits:
  50. *
  51. * - Using an all-one-bits r_key tests the key clamping.
  52. * - Using an all-one-bits s_key tests carries in implementations of the
  53. * addition mod 2**128 during finalization.
  54. * - Using all-one-bits message, and to a lesser extent r_key, tends to maximize
  55. * any intermediate accumulator values. This increases the chance of
  56. * detecting bugs that occur only in rare cases where the accumulator values
  57. * get very large, for example the bug fixed by commit 678cce4019d746da
  58. * ("crypto: x86/poly1305 - fix overflow during partial reduction").
  59. *
  60. * Accumulator overflow bugs may be specific to particular update lengths (in
  61. * blocks) and/or particular values of the previous acculumator. Note that the
  62. * accumulator starts at 0 which gives the lowest chance of an overflow. Thus,
  63. * a single all-one-bits test vector may be insufficient.
  64. *
  65. * Considering that, do the following test: continuously update a single
  66. * Poly1305 context with all-one-bits data of varying lengths (0, 16, 32, ...,
  67. * 4096 bytes). After each update, generate the MAC from the current context,
  68. * and feed that MAC into a separate Poly1305 context. Repeat that entire
  69. * sequence of updates 32 times without re-initializing either context,
  70. * resulting in a total of 8224 MAC computations from a long-running, cumulative
  71. * context. Finally, generate and verify the MAC of all the MACs.
  72. */
  73. static void test_poly1305_allones_keys_and_message(struct kunit *test)
  74. {
  75. struct poly1305_desc_ctx mac_ctx, macofmacs_ctx;
  76. u8 mac[POLY1305_DIGEST_SIZE];
  77. static_assert(TEST_BUF_LEN >= 4096);
  78. memset(test_buf, 0xff, 4096);
  79. poly1305_init(&mac_ctx, test_buf);
  80. poly1305_init(&macofmacs_ctx, test_buf);
  81. for (int i = 0; i < 32; i++) {
  82. for (size_t len = 0; len <= 4096; len += 16) {
  83. struct poly1305_desc_ctx tmp_ctx;
  84. poly1305_update(&mac_ctx, test_buf, len);
  85. tmp_ctx = mac_ctx;
  86. poly1305_final(&tmp_ctx, mac);
  87. poly1305_update(&macofmacs_ctx, mac,
  88. POLY1305_DIGEST_SIZE);
  89. }
  90. }
  91. poly1305_final(&macofmacs_ctx, mac);
  92. KUNIT_ASSERT_MEMEQ(test, mac, poly1305_allones_macofmacs,
  93. POLY1305_DIGEST_SIZE);
  94. }
  95. /*
  96. * Poly1305 test case which uses r_key=1, s_key=0, and a 48-byte message
  97. * consisting of three blocks with integer values [2**128 - i, 0, 0]. In this
  98. * case, the result of the polynomial evaluation is 2**130 - i. For small
  99. * values of i, this is very close to the modulus 2**130 - 5, which helps catch
  100. * edge case bugs in the modular reduction logic.
  101. */
  102. static void test_poly1305_reduction_edge_cases(struct kunit *test)
  103. {
  104. static const u8 key[POLY1305_KEY_SIZE] = { 1 }; /* r_key=1, s_key=0 */
  105. u8 data[3 * POLY1305_BLOCK_SIZE] = {};
  106. u8 expected_mac[POLY1305_DIGEST_SIZE];
  107. u8 actual_mac[POLY1305_DIGEST_SIZE];
  108. for (int i = 1; i <= 10; i++) {
  109. /* Set the first data block to 2**128 - i. */
  110. data[0] = -i;
  111. memset(&data[1], 0xff, POLY1305_BLOCK_SIZE - 1);
  112. /*
  113. * Assuming s_key=0, the expected MAC as an integer is
  114. * (2**130 - i mod 2**130 - 5) + 0 mod 2**128. If 1 <= i <= 5,
  115. * that's 5 - i. If 6 <= i <= 10, that's 2**128 - i.
  116. */
  117. if (i <= 5) {
  118. expected_mac[0] = 5 - i;
  119. memset(&expected_mac[1], 0, POLY1305_DIGEST_SIZE - 1);
  120. } else {
  121. expected_mac[0] = -i;
  122. memset(&expected_mac[1], 0xff,
  123. POLY1305_DIGEST_SIZE - 1);
  124. }
  125. /* Compute and verify the MAC. */
  126. poly1305(key, data, sizeof(data), actual_mac);
  127. KUNIT_ASSERT_MEMEQ(test, actual_mac, expected_mac,
  128. POLY1305_DIGEST_SIZE);
  129. }
  130. }
  131. static struct kunit_case poly1305_test_cases[] = {
  132. HASH_KUNIT_CASES,
  133. KUNIT_CASE(test_poly1305_allones_keys_and_message),
  134. KUNIT_CASE(test_poly1305_reduction_edge_cases),
  135. KUNIT_CASE(benchmark_hash),
  136. {},
  137. };
  138. static struct kunit_suite poly1305_test_suite = {
  139. .name = "poly1305",
  140. .test_cases = poly1305_test_cases,
  141. .suite_init = poly1305_suite_init,
  142. .suite_exit = poly1305_suite_exit,
  143. };
  144. kunit_test_suite(poly1305_test_suite);
  145. MODULE_DESCRIPTION("KUnit tests and benchmark for Poly1305");
  146. MODULE_LICENSE("GPL");