path: root/lib/crypto/tests/hash-test-template.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
 * Test cases for hash functions, including a benchmark.  This is included by
 * KUnit test suites that want to use it.  See sha512_kunit.c for an example.
 *
 * Copyright 2025 Google LLC
 */
#include <kunit/run-in-irq-context.h>
#include <kunit/test.h>
#include <linux/vmalloc.h>

/* test_buf is a guarded buffer, i.e. &test_buf[TEST_BUF_LEN] is not mapped. */
#define TEST_BUF_LEN 16384
static u8 *test_buf;

static u8 *orig_test_buf;

static u64 random_seed;

/*
 * This is a simple linear congruential generator.  It is used only for testing,
 * which does not require cryptographically secure random numbers.  A hard-coded
 * algorithm is used instead of <linux/prandom.h> so that it matches the
 * algorithm used by the test vector generation script.  This allows the input
 * data in random test vectors to be concisely stored as just the seed.
 */
static u32 rand32(void)
{
	random_seed = (random_seed * 25214903917 + 11) & ((1ULL << 48) - 1);
	return random_seed >> 16;
}

static void rand_bytes(u8 *out, size_t len)
{
	for (size_t i = 0; i < len; i++)
		out[i] = rand32();
}

static void rand_bytes_seeded_from_len(u8 *out, size_t len)
{
	random_seed = len;
	rand_bytes(out, len);
}

static bool rand_bool(void)
{
	return rand32() % 2;
}

/* Generate a random length, preferring small lengths. */
static size_t rand_length(size_t max_len)
{
	size_t len;

	switch (rand32() % 3) {
	case 0:
		len = rand32() % 128;
		break;
	case 1:
		len = rand32() % 3072;
		break;
	default:
		len = rand32();
		break;
	}
	return len % (max_len + 1);
}

static size_t rand_offset(size_t max_offset)
{
	return min(rand32() % 128, max_offset);
}

static int hash_suite_init(struct kunit_suite *suite)
{
	/*
	 * Allocate the test buffer using vmalloc() with a page-aligned length
	 * so that it is immediately followed by a guard page.  This allows
	 * buffer overreads to be detected, even in assembly code.
	 */
	size_t alloc_len = round_up(TEST_BUF_LEN, PAGE_SIZE);

	orig_test_buf = vmalloc(alloc_len);
	if (!orig_test_buf)
		return -ENOMEM;

	test_buf = orig_test_buf + alloc_len - TEST_BUF_LEN;
	return 0;
}

static void hash_suite_exit(struct kunit_suite *suite)
{
	vfree(orig_test_buf);
	orig_test_buf = NULL;
	test_buf = NULL;
}

/*
 * Test the hash function against a list of test vectors.
 *
 * Note that it's only necessary to run each test vector in one way (e.g.,
 * one-shot instead of incremental), since consistency between different ways of
 * using the APIs is verified by other test cases.
 */
static void test_hash_test_vectors(struct kunit *test)
{
	for (size_t i = 0; i < ARRAY_SIZE(hash_testvecs); i++) {
		size_t data_len = hash_testvecs[i].data_len;
		u8 actual_hash[HASH_SIZE];

		KUNIT_ASSERT_LE(test, data_len, TEST_BUF_LEN);
		rand_bytes_seeded_from_len(test_buf, data_len);

		HASH(test_buf, data_len, actual_hash);
		KUNIT_ASSERT_MEMEQ_MSG(
			test, actual_hash, hash_testvecs[i].digest, HASH_SIZE,
			"Wrong result with test vector %zu; data_len=%zu", i,
			data_len);
	}
}

/*
 * Test that the hash function produces correct results for *every* length up to
 * 4096 bytes.  To do this, generate seeded random data, then calculate a hash
 * value for each length 0..4096, then hash the hash values.  Verify just the
 * final hash value, which should match only when all hash values were correct.
 */
static void test_hash_all_lens_up_to_4096(struct kunit *test)
{
	struct HASH_CTX ctx;
	u8 hash[HASH_SIZE];

	static_assert(TEST_BUF_LEN >= 4096);
	rand_bytes_seeded_from_len(test_buf, 4096);
	HASH_INIT(&ctx);
	for (size_t len = 0; len <= 4096; len++) {
		HASH(test_buf, len, hash);
		HASH_UPDATE(&ctx, hash, HASH_SIZE);
	}
	HASH_FINAL(&ctx, hash);
	KUNIT_ASSERT_MEMEQ(test, hash, hash_testvec_consolidated, HASH_SIZE);
}

/*
 * Test that the hash function produces the same result with a one-shot
 * computation as it does with an incremental computation.
 */
static void test_hash_incremental_updates(struct kunit *test)
{
	for (int i = 0; i < 1000; i++) {
		size_t total_len, offset;
		struct HASH_CTX ctx;
		u8 hash1[HASH_SIZE];
		u8 hash2[HASH_SIZE];
		size_t num_parts = 0;
		size_t remaining_len, cur_offset;

		total_len = rand_length(TEST_BUF_LEN);
		offset = rand_offset(TEST_BUF_LEN - total_len);
		rand_bytes(&test_buf[offset], total_len);

		/* Compute the hash value in one shot. */
		HASH(&test_buf[offset], total_len, hash1);

		/*
		 * Compute the hash value incrementally, using a randomly
		 * selected sequence of update lengths that sum to total_len.
		 */
		HASH_INIT(&ctx);
		remaining_len = total_len;
		cur_offset = offset;
		while (rand_bool()) {
			size_t part_len = rand_length(remaining_len);

			HASH_UPDATE(&ctx, &test_buf[cur_offset], part_len);
			num_parts++;
			cur_offset += part_len;
			remaining_len -= part_len;
		}
		if (remaining_len != 0 || rand_bool()) {
			HASH_UPDATE(&ctx, &test_buf[cur_offset], remaining_len);
			num_parts++;
		}
		HASH_FINAL(&ctx, hash2);

		/* Verify that the two hash values are the same. */
		KUNIT_ASSERT_MEMEQ_MSG(
			test, hash1, hash2, HASH_SIZE,
			"Incremental test failed with total_len=%zu num_parts=%zu offset=%zu",
			total_len, num_parts, offset);
	}
}

/*
 * Test that the hash function does not overrun any buffers.  Uses a guard page
 * to catch buffer overruns even if they occur in assembly code.
 */
static void test_hash_buffer_overruns(struct kunit *test)
{
	const size_t max_tested_len = TEST_BUF_LEN - sizeof(struct HASH_CTX);
	void *const buf_end = &test_buf[TEST_BUF_LEN];
	struct HASH_CTX *guarded_ctx = buf_end - sizeof(*guarded_ctx);

	rand_bytes(test_buf, TEST_BUF_LEN);

	for (int i = 0; i < 100; i++) {
		size_t len = rand_length(max_tested_len);
		struct HASH_CTX ctx;
		u8 hash[HASH_SIZE];

		/* Check for overruns of the data buffer. */
		HASH(buf_end - len, len, hash);
		HASH_INIT(&ctx);
		HASH_UPDATE(&ctx, buf_end - len, len);
		HASH_FINAL(&ctx, hash);

		/* Check for overruns of the hash value buffer. */
		HASH(test_buf, len, buf_end - HASH_SIZE);
		HASH_INIT(&ctx);
		HASH_UPDATE(&ctx, test_buf, len);
		HASH_FINAL(&ctx, buf_end - HASH_SIZE);

		/* Check for overuns of the hash context. */
		HASH_INIT(guarded_ctx);
		HASH_UPDATE(guarded_ctx, test_buf, len);
		HASH_FINAL(guarded_ctx, hash);
	}
}

/*
 * Test that the caller is permitted to alias the output digest and source data
 * buffer, and also modify the source data buffer after it has been used.
 */
static void test_hash_overlaps(struct kunit *test)
{
	const size_t max_tested_len = TEST_BUF_LEN - HASH_SIZE;
	struct HASH_CTX ctx;
	u8 hash[HASH_SIZE];

	rand_bytes(test_buf, TEST_BUF_LEN);

	for