// SPDX-License-Identifier: GPL-2.0-or-later1/*2* Copyright 2025 Google LLC3*/4#include <crypto/poly1305.h>5#include "poly1305-testvecs.h"67/*8* A fixed key used when presenting Poly1305 as an unkeyed hash function in9* order to reuse hash-test-template.h. At the beginning of the test suite,10* this is initialized to bytes generated from a fixed seed.11*/12static u8 test_key[POLY1305_KEY_SIZE];1314/* This probably should be in the actual API, but just define it here for now */15static void poly1305(const u8 key[POLY1305_KEY_SIZE], const u8 *data,16size_t len, u8 out[POLY1305_DIGEST_SIZE])17{18struct poly1305_desc_ctx ctx;1920poly1305_init(&ctx, key);21poly1305_update(&ctx, data, len);22poly1305_final(&ctx, out);23}2425static void poly1305_init_withtestkey(struct poly1305_desc_ctx *ctx)26{27poly1305_init(ctx, test_key);28}2930static void poly1305_withtestkey(const u8 *data, size_t len,31u8 out[POLY1305_DIGEST_SIZE])32{33poly1305(test_key, data, len, out);34}3536/* Generate the HASH_KUNIT_CASES using hash-test-template.h. */37#define HASH poly1305_withtestkey38#define HASH_CTX poly1305_desc_ctx39#define HASH_SIZE POLY1305_DIGEST_SIZE40#define HASH_INIT poly1305_init_withtestkey41#define HASH_UPDATE poly1305_update42#define HASH_FINAL poly1305_final43#include "hash-test-template.h"4445static int poly1305_suite_init(struct kunit_suite *suite)46{47rand_bytes_seeded_from_len(test_key, POLY1305_KEY_SIZE);48return hash_suite_init(suite);49}5051static void poly1305_suite_exit(struct kunit_suite *suite)52{53hash_suite_exit(suite);54}5556/*57* Poly1305 test case which uses a key and message consisting only of one bits:58*59* - Using an all-one-bits r_key tests the key clamping.60* - Using an all-one-bits s_key tests carries in implementations of the61* addition mod 2**128 during finalization.62* - Using all-one-bits message, and to a lesser extent r_key, tends to maximize63* any intermediate accumulator values. This increases the chance of64* detecting bugs that occur only in rare cases where the accumulator values65* get very large, for example the bug fixed by commit 678cce4019d746da66* ("crypto: x86/poly1305 - fix overflow during partial reduction").67*68* Accumulator overflow bugs may be specific to particular update lengths (in69* blocks) and/or particular values of the previous acculumator. Note that the70* accumulator starts at 0 which gives the lowest chance of an overflow. Thus,71* a single all-one-bits test vector may be insufficient.72*73* Considering that, do the following test: continuously update a single74* Poly1305 context with all-one-bits data of varying lengths (0, 16, 32, ...,75* 4096 bytes). After each update, generate the MAC from the current context,76* and feed that MAC into a separate Poly1305 context. Repeat that entire77* sequence of updates 32 times without re-initializing either context,78* resulting in a total of 8224 MAC computations from a long-running, cumulative79* context. Finally, generate and verify the MAC of all the MACs.80*/81static void test_poly1305_allones_keys_and_message(struct kunit *test)82{83struct poly1305_desc_ctx mac_ctx, macofmacs_ctx;84u8 mac[POLY1305_DIGEST_SIZE];8586static_assert(TEST_BUF_LEN >= 4096);87memset(test_buf, 0xff, 4096);8889poly1305_init(&mac_ctx, test_buf);90poly1305_init(&macofmacs_ctx, test_buf);91for (int i = 0; i < 32; i++) {92for (size_t len = 0; len <= 4096; len += 16) {93struct poly1305_desc_ctx tmp_ctx;9495poly1305_update(&mac_ctx, test_buf, len);96tmp_ctx = mac_ctx;97poly1305_final(&tmp_ctx, mac);98poly1305_update(&macofmacs_ctx, mac,99POLY1305_DIGEST_SIZE);100}101}102poly1305_final(&macofmacs_ctx, mac);103KUNIT_ASSERT_MEMEQ(test, mac, poly1305_allones_macofmacs,104POLY1305_DIGEST_SIZE);105}106107/*108* Poly1305 test case which uses r_key=1, s_key=0, and a 48-byte message109* consisting of three blocks with integer values [2**128 - i, 0, 0]. In this110* case, the result of the polynomial evaluation is 2**130 - i. For small111* values of i, this is very close to the modulus 2**130 - 5, which helps catch112* edge case bugs in the modular reduction logic.113*/114static void test_poly1305_reduction_edge_cases(struct kunit *test)115{116static const u8 key[POLY1305_KEY_SIZE] = { 1 }; /* r_key=1, s_key=0 */117u8 data[3 * POLY1305_BLOCK_SIZE] = {};118u8 expected_mac[POLY1305_DIGEST_SIZE];119u8 actual_mac[POLY1305_DIGEST_SIZE];120121for (int i = 1; i <= 10; i++) {122/* Set the first data block to 2**128 - i. */123data[0] = -i;124memset(&data[1], 0xff, POLY1305_BLOCK_SIZE - 1);125126/*127* Assuming s_key=0, the expected MAC as an integer is128* (2**130 - i mod 2**130 - 5) + 0 mod 2**128. If 1 <= i <= 5,129* that's 5 - i. If 6 <= i <= 10, that's 2**128 - i.130*/131if (i <= 5) {132expected_mac[0] = 5 - i;133memset(&expected_mac[1], 0, POLY1305_DIGEST_SIZE - 1);134} else {135expected_mac[0] = -i;136memset(&expected_mac[1], 0xff,137POLY1305_DIGEST_SIZE - 1);138}139140/* Compute and verify the MAC. */141poly1305(key, data, sizeof(data), actual_mac);142KUNIT_ASSERT_MEMEQ(test, actual_mac, expected_mac,143POLY1305_DIGEST_SIZE);144}145}146147static struct kunit_case poly1305_test_cases[] = {148HASH_KUNIT_CASES,149KUNIT_CASE(test_poly1305_allones_keys_and_message),150KUNIT_CASE(test_poly1305_reduction_edge_cases),151KUNIT_CASE(benchmark_hash),152{},153};154155static struct kunit_suite poly1305_test_suite = {156.name = "poly1305",157.test_cases = poly1305_test_cases,158.suite_init = poly1305_suite_init,159.suite_exit = poly1305_suite_exit,160};161kunit_test_suite(poly1305_test_suite);162163MODULE_DESCRIPTION("KUnit tests and benchmark for Poly1305");164MODULE_LICENSE("GPL");165166167