| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224 |
- // SPDX-License-Identifier: GPL-2.0-or-later
- /*
- * Copyright 2025 Google LLC
- */
- #include <crypto/sha2.h>
- #include "sha256-testvecs.h"
- /* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
- #define HASH sha256
- #define HASH_CTX sha256_ctx
- #define HASH_SIZE SHA256_DIGEST_SIZE
- #define HASH_INIT sha256_init
- #define HASH_UPDATE sha256_update
- #define HASH_FINAL sha256_final
- #define HMAC_KEY hmac_sha256_key
- #define HMAC_CTX hmac_sha256_ctx
- #define HMAC_PREPAREKEY hmac_sha256_preparekey
- #define HMAC_INIT hmac_sha256_init
- #define HMAC_UPDATE hmac_sha256_update
- #define HMAC_FINAL hmac_sha256_final
- #define HMAC hmac_sha256
- #define HMAC_USINGRAWKEY hmac_sha256_usingrawkey
- #include "hash-test-template.h"
- static void free_guarded_buf(void *buf)
- {
- vfree(buf);
- }
- /*
- * Allocate a KUnit-managed buffer that has length @len bytes immediately
- * followed by an unmapped page, and assert that the allocation succeeds.
- */
- static void *alloc_guarded_buf(struct kunit *test, size_t len)
- {
- size_t full_len = round_up(len, PAGE_SIZE);
- void *buf = vmalloc(full_len);
- KUNIT_ASSERT_NOT_NULL(test, buf);
- KUNIT_ASSERT_EQ(test, 0,
- kunit_add_action_or_reset(test, free_guarded_buf, buf));
- return buf + full_len - len;
- }
- /*
- * Test for sha256_finup_2x(). Specifically, choose various data lengths and
- * salt lengths, and for each one, verify that sha256_finup_2x() produces the
- * same results as sha256_update() and sha256_final().
- *
- * Use guarded buffers for all inputs and outputs to reliably detect any
- * out-of-bounds reads or writes, even if they occur in assembly code.
- */
- static void test_sha256_finup_2x(struct kunit *test)
- {
- const size_t max_data_len = 16384;
- u8 *data1_buf, *data2_buf, *hash1, *hash2;
- u8 expected_hash1[SHA256_DIGEST_SIZE];
- u8 expected_hash2[SHA256_DIGEST_SIZE];
- u8 salt[SHA256_BLOCK_SIZE];
- struct sha256_ctx *ctx;
- data1_buf = alloc_guarded_buf(test, max_data_len);
- data2_buf = alloc_guarded_buf(test, max_data_len);
- hash1 = alloc_guarded_buf(test, SHA256_DIGEST_SIZE);
- hash2 = alloc_guarded_buf(test, SHA256_DIGEST_SIZE);
- ctx = alloc_guarded_buf(test, sizeof(*ctx));
- rand_bytes(data1_buf, max_data_len);
- rand_bytes(data2_buf, max_data_len);
- rand_bytes(salt, sizeof(salt));
- memset(ctx, 0, sizeof(*ctx));
- for (size_t i = 0; i < 500; i++) {
- size_t salt_len = rand_length(sizeof(salt));
- size_t data_len = rand_length(max_data_len);
- const u8 *data1 = data1_buf + max_data_len - data_len;
- const u8 *data2 = data2_buf + max_data_len - data_len;
- struct sha256_ctx orig_ctx;
- sha256_init(ctx);
- sha256_update(ctx, salt, salt_len);
- orig_ctx = *ctx;
- sha256_finup_2x(ctx, data1, data2, data_len, hash1, hash2);
- KUNIT_ASSERT_MEMEQ_MSG(
- test, ctx, &orig_ctx, sizeof(*ctx),
- "sha256_finup_2x() modified its ctx argument");
- sha256_update(ctx, data1, data_len);
- sha256_final(ctx, expected_hash1);
- sha256_update(&orig_ctx, data2, data_len);
- sha256_final(&orig_ctx, expected_hash2);
- KUNIT_ASSERT_MEMEQ_MSG(
- test, hash1, expected_hash1, SHA256_DIGEST_SIZE,
- "Wrong hash1 with salt_len=%zu data_len=%zu", salt_len,
- data_len);
- KUNIT_ASSERT_MEMEQ_MSG(
- test, hash2, expected_hash2, SHA256_DIGEST_SIZE,
- "Wrong hash2 with salt_len=%zu data_len=%zu", salt_len,
- data_len);
- }
- }
- /* Test sha256_finup_2x() with ctx == NULL */
- static void test_sha256_finup_2x_defaultctx(struct kunit *test)
- {
- const size_t data_len = 128;
- struct sha256_ctx ctx;
- u8 hash1_a[SHA256_DIGEST_SIZE];
- u8 hash2_a[SHA256_DIGEST_SIZE];
- u8 hash1_b[SHA256_DIGEST_SIZE];
- u8 hash2_b[SHA256_DIGEST_SIZE];
- rand_bytes(test_buf, 2 * data_len);
- sha256_init(&ctx);
- sha256_finup_2x(&ctx, test_buf, &test_buf[data_len], data_len, hash1_a,
- hash2_a);
- sha256_finup_2x(NULL, test_buf, &test_buf[data_len], data_len, hash1_b,
- hash2_b);
- KUNIT_ASSERT_MEMEQ(test, hash1_a, hash1_b, SHA256_DIGEST_SIZE);
- KUNIT_ASSERT_MEMEQ(test, hash2_a, hash2_b, SHA256_DIGEST_SIZE);
- }
- /*
- * Test that sha256_finup_2x() and sha256_update/final() produce consistent
- * results with total message lengths that require more than 32 bits.
- */
- static void test_sha256_finup_2x_hugelen(struct kunit *test)
- {
- const size_t data_len = 4 * SHA256_BLOCK_SIZE;
- struct sha256_ctx ctx = {};
- u8 expected_hash[SHA256_DIGEST_SIZE];
- u8 hash[SHA256_DIGEST_SIZE];
- rand_bytes(test_buf, data_len);
- for (size_t align = 0; align < SHA256_BLOCK_SIZE; align++) {
- sha256_init(&ctx);
- ctx.ctx.bytecount = 0x123456789abcd00 + align;
- sha256_finup_2x(&ctx, test_buf, test_buf, data_len, hash, hash);
- sha256_update(&ctx, test_buf, data_len);
- sha256_final(&ctx, expected_hash);
- KUNIT_ASSERT_MEMEQ(test, hash, expected_hash,
- SHA256_DIGEST_SIZE);
- }
- }
- /* Benchmark for sha256_finup_2x() */
- static void benchmark_sha256_finup_2x(struct kunit *test)
- {
- /*
- * Try a few different salt lengths, since sha256_finup_2x() performance
- * may vary slightly for the same data_len depending on how many bytes
- * were already processed in the initial context.
- */
- static const size_t salt_lens_to_test[] = { 0, 32, 64 };
- const size_t data_len = 4096;
- const size_t num_iters = 4096;
- struct sha256_ctx ctx;
- u8 hash1[SHA256_DIGEST_SIZE];
- u8 hash2[SHA256_DIGEST_SIZE];
- if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK))
- kunit_skip(test, "not enabled");
- if (!sha256_finup_2x_is_optimized())
- kunit_skip(test, "not relevant");
- rand_bytes(test_buf, data_len * 2);
- /* Warm-up */
- for (size_t i = 0; i < num_iters; i++)
- sha256_finup_2x(NULL, &test_buf[0], &test_buf[data_len],
- data_len, hash1, hash2);
- for (size_t i = 0; i < ARRAY_SIZE(salt_lens_to_test); i++) {
- size_t salt_len = salt_lens_to_test[i];
- u64 t0, t1;
- /*
- * Prepare the initial context. The time to process the salt is
- * not measured; we're just interested in sha256_finup_2x().
- */
- sha256_init(&ctx);
- sha256_update(&ctx, test_buf, salt_len);
- preempt_disable();
- t0 = ktime_get_ns();
- for (size_t j = 0; j < num_iters; j++)
- sha256_finup_2x(&ctx, &test_buf[0], &test_buf[data_len],
- data_len, hash1, hash2);
- t1 = ktime_get_ns();
- preempt_enable();
- kunit_info(test, "data_len=%zu salt_len=%zu: %llu MB/s",
- data_len, salt_len,
- div64_u64((u64)data_len * 2 * num_iters * 1000,
- t1 - t0 ?: 1));
- }
- }
- static struct kunit_case hash_test_cases[] = {
- HASH_KUNIT_CASES,
- KUNIT_CASE(test_sha256_finup_2x),
- KUNIT_CASE(test_sha256_finup_2x_defaultctx),
- KUNIT_CASE(test_sha256_finup_2x_hugelen),
- KUNIT_CASE(benchmark_hash),
- KUNIT_CASE(benchmark_sha256_finup_2x),
- {},
- };
- static struct kunit_suite hash_test_suite = {
- .name = "sha256",
- .test_cases = hash_test_cases,
- .suite_init = hash_suite_init,
- .suite_exit = hash_suite_exit,
- };
- kunit_test_suite(hash_test_suite);
- MODULE_DESCRIPTION("KUnit tests and benchmark for SHA-256 and HMAC-SHA256");
- MODULE_LICENSE("GPL");
|