1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright 2025 Google LLC
*/
#include <crypto/sha2.h>
#include "sha256-testvecs.h"
/* Generate the HASH_KUNIT_CASES using hash-test-template.h. */
#define HASH sha256
#define HASH_CTX sha256_ctx
#define HASH_SIZE SHA256_DIGEST_SIZE
#define HASH_INIT sha256_init
#define HASH_UPDATE sha256_update
#define HASH_FINAL sha256_final
#define HMAC_KEY hmac_sha256_key
#define HMAC_CTX hmac_sha256_ctx
#define HMAC_PREPAREKEY hmac_sha256_preparekey
#define HMAC_INIT hmac_sha256_init
#define HMAC_UPDATE hmac_sha256_update
#define HMAC_FINAL hmac_sha256_final
#define HMAC hmac_sha256
#define HMAC_USINGRAWKEY hmac_sha256_usingrawkey
#include "hash-test-template.h"
static void free_guarded_buf(void *buf)
{
vfree(buf);
}
/*
* Allocate a KUnit-managed buffer that has length @len bytes immediately
* followed by an unmapped page, and assert that the allocation succeeds.
*/
static void *alloc_guarded_buf(struct kunit *test, size_t len)
{
size_t full_len = round_up(len, PAGE_SIZE);
void *buf = vmalloc(full_len);
KUNIT_ASSERT_NOT_NULL(test, buf);
KUNIT_ASSERT_EQ(test, 0,
kunit_add_action_or_reset(test, free_guarded_buf, buf));
return buf + full_len - len;
}
/*
* Test for sha256_finup_2x(). Specifically, choose various data lengths and
* salt lengths, and for each one, verify that sha256_finup_2x() produces the
* same results as sha256_update() and sha256_final().
*
* Use guarded buffers for all inputs and outputs to reliably detect any
* out-of-bounds reads or writes, even if they occur in assembly code.
*/
static void test_sha256_finup_2x(struct kunit *test)
{
const size_t max_data_len = 16384;
u8 *data1_buf, *data2_buf, *hash1, *hash2;
u8 expected_hash1[SHA256_DIGEST_SIZE];
u8 expected_hash2[SHA256_DIGEST_SIZE];
u8 salt[SHA256_BLOCK_SIZE];
struct sha256_ctx *ctx;
data1_buf = alloc_guarded_buf(test, max_data_len);
data2_buf = alloc_guarded_buf(test, max_data_len);
hash1 = alloc_guarded_buf(test, SHA256_DIGEST_SIZE);
hash2 = alloc_guarded_buf(test, SHA256_DIGEST_SIZE);
ctx = alloc_guarded_buf(test, sizeof(*ctx));
rand_bytes(data1_buf, max_data_len);
rand_bytes(data2_buf, max_data_len);
rand_bytes(salt, sizeof(salt));
for (size_t i = 0; i < 500; i++) {
size_t salt_len = rand_length(sizeof(salt));
size_t data_len = rand_length(max_data_len);
const u8 *data1 = data1_buf + max_data_len - data_len;
const u8 *data2 = data2_buf + max_data_len - data_len;
struct sha256_ctx orig_ctx;
sha256_init(ctx);
sha256_update(ctx, salt, salt_len);
orig_ctx = *ctx;
sha256_finup_2x(ctx, data1, data2, data_len, hash1, hash2);
KUNIT_ASSERT_MEMEQ_MSG(
test, ctx, &orig_ctx, sizeof(*ctx),
"sha256_finup_2x() modified its ctx argument");
sha256_update(ctx, data1, data_len);
sha256_final(ctx, expected_hash1);
sha256_update(&orig_ctx, data2, data_len);
sha256_final(&orig_ctx, expected_hash2);
KUNIT_ASSERT_MEMEQ_MSG(
test, hash1, expected_hash1, SHA256_DIGEST_SIZE,
"Wrong hash1 with salt_len=%zu data_len=%zu", salt_len,
data_len);
KUNIT_ASSERT_MEMEQ_MSG(
test, hash2, expected_hash2, SHA256_DIGEST_SIZE,
"Wrong hash2 with salt_len=%zu data_len=%zu", salt_len,
data_len);
}
}
/* Test sha256_finup_2x() with ctx == NULL */
static void test_sha256_finup_2x_defaultctx(struct kunit *test)
{
const size_t data_len = 128;
struct sha256_ctx ctx;
u8 hash1_a[SHA256_DIGEST_SIZE];
u8 hash2_a[SHA256_DIGEST_SIZE];
u8 hash1_b[SHA256_DIGEST_SIZE];
u8 hash2_b[SHA256_DIGEST_SIZE];
rand_bytes(test_buf, 2 * data_len);
sha256_init(&ctx);
sha256_finup_2x(&ctx, test_buf, &test_buf[data_len], data_len, hash1_a,
hash2_a);
sha256_finup_2x(NULL, test_buf, &test_buf[data_len], data_len, hash1_b,
hash2_b);
KUNIT_ASSERT_MEMEQ(test, hash1_a, hash1_b, SHA256_DIGEST_SIZE);
KUNIT_ASSERT_MEMEQ(test, hash2_a, hash2_b, SHA256_DIGEST_SIZE);
}
/*
* Test that sha256_finup_2x() and sha256_update/final() produce consistent
* results with total message lengths that require more than 32 bits.
*/
static void test_sha256_finup_2x_hugelen(struct kunit *test)
{
const size_t data_len = 4 * SHA256_BLOCK_SIZE;
struct sha256_ctx ctx = {};
u8 expected_hash[SHA256_DIGEST_SIZE];
u8 hash[SHA256_DIGEST_SIZE];
rand_bytes(test_buf, data_len);
for (size_t align = 0; align < SHA256_BLOCK_SIZE; align++) {
sha256_init(&ctx);
ctx.ctx.bytecount = 0x123456789abcd00 + align;
sha256_finup_2x(&ctx, test_buf, test_buf, data_len, hash, hash);
sha256_update(&ctx, test_buf, data_len);
sha256_final(&ctx, expected_hash);
KUNIT_ASSERT_MEMEQ(test, hash, expected_hash,
SHA256_DIGEST_SIZE);
}
}
/* Benchmark for sha256_finup_2x() */
static void benchmark_sha256_finup_2x(struct kunit *test)
{
/*
* Try a few different salt lengths, since sha256_finup_2x() performance
* may vary slightly for the same data_len depending on how many bytes
* were already processed in the initial context.
*/
static const size_t salt_lens_to_test[] = { 0, 32, 64 };
const size_t data_len = 4096;
const size_t num_iters = 4096;
struct sha256_ctx ctx;
u8 hash1[SHA256_DIGEST_SIZE];
u8 hash2[SHA256_DIGEST_SIZE];
if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK))
kunit_skip(test, "not enabled");
if (!sha256_finup_2x_is_optimized())
kunit_skip(test, "not relevant");
rand_bytes(test_buf, data_len * 2);
/* Warm-up */
for (size_t i = 0; i < num_iters; i++)
sha256_finup_2x(NULL, &test_buf[0], &test_buf[data_len],
data_len, hash1, hash2);
for (size_t i = 0; i < ARRAY_SIZE(salt_lens_to_test); i++) {
size_t salt_len = salt_lens_to_test[i];
u64 t0, t1;
/*
* Prepare the initial context. The time to process the salt is
* not measured; we're just interested in sha256_finup_2x().
*/
sha256_init(&ctx);
sha256_update(&ctx, test_buf, salt_len);
preempt_disable();
t0 = ktime_get_ns();
for (size_t j = 0; j < num_iters; j++)
sha256_finup_2x(&ctx, &test_buf[0], &test_buf[data_len],
data_len, hash1, hash2);
t1 = ktime_get_ns();
preempt_enable();
kunit_info(test, "data_len=%zu salt_len=%zu: %llu MB/s",
data_len, salt_len,
div64_u64((u64)data_len * 2 * num_iters * 1000,
t1 - t0 ?: 1));
}
}
static struct kunit_case hash_test_cases[] = {
HASH_KUNIT_CASES,
KUNIT_CASE(test_sha256_finup_2x),
KUNIT_CASE(test_sha256_finup_2x_defaultctx),
KUNIT_CASE(test_sha256_finup_2x_hugelen),
KUNIT_CASE(benchmark_hash),
KUNIT_CASE(benchmark_sha256_finup_2x),
{},
};
static struct kunit_suite hash_test_suite = {
.name = "sha256",
.test_cases = hash_test_cases,
.suite_init = hash_suite_init,
.suite_exit = hash_suite_exit,
};
kunit_test_suite(hash_test_suite);
MODULE_DESCRIPTION("KUnit tests and benchmark for SHA-256 and HMAC-SHA256");
MODULE_LICENSE("GPL");
|
