On Fri, Dec 5, 2025 at 9:39 AM Daniel Hodges git@danielhodges.dev wrote:
Add selftests to validate the bpf_crypto_hash works properly. The tests verify both correct functionality and proper error handling.
Test Data: All tests use the well-known NIST test vector input "abc" and validate against the standardized expected outputs for each algorithm. This ensures the BPF kfunc wrappers correctly delegate to the kernel crypto library.
Signed-off-by: Daniel Hodges git@danielhodges.dev
tools/testing/selftests/bpf/config | 2 + .../selftests/bpf/prog_tests/crypto_hash.c | 158 ++++++++++++++++++ .../testing/selftests/bpf/progs/crypto_hash.c | 141 ++++++++++++++++ 3 files changed, 301 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/crypto_hash.c create mode 100644 tools/testing/selftests/bpf/progs/crypto_hash.c
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config index 558839e3c185..d168b3073cba 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -12,7 +12,9 @@ CONFIG_BPF_SYSCALL=y # CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set CONFIG_CGROUP_BPF=y CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_USER_API=y CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y diff --git a/tools/testing/selftests/bpf/prog_tests/crypto_hash.c b/tools/testing/selftests/bpf/prog_tests/crypto_hash.c new file mode 100644 index 000000000000..f1495ea85aae --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/crypto_hash.c @@ -0,0 +1,158 @@ +// SPDX-License-Identifier: GPL-2.0
Maybe add Copyright here?
+#include <test_progs.h> +#include <errno.h> +#include "crypto_hash.skel.h"
+/* NIST test vectors for SHA-256("abc") */ +static const unsigned char expected_sha256[32] = {
0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad+};
+/* NIST test vectors for SHA-384("abc") */ +static const unsigned char expected_sha384[48] = {
0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b,0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07,0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63,0x1a, 0x8b, 0x60, 0x5a, 0x43, 0xff, 0x5b, 0xed,0x80, 0x86, 0x07, 0x2b, 0xa1, 0xe7, 0xcc, 0x23,0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7+};
+/* NIST test vectors for SHA-512("abc") */ +static const unsigned char expected_sha512[64] = {
0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba,0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2,0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e,0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f+};
+static void test_sha256_basic(void) +{
struct crypto_hash *skel;int err, prog_fd;LIBBPF_OPTS(bpf_test_run_opts, topts);skel = crypto_hash__open_and_load();if (!skel) {/* Skip if kfuncs not available (CONFIG_CRYPTO_HASH2 not set) */if (errno == ENOENT || errno == EINVAL) {test__skip();return;}ASSERT_OK_PTR(skel, "crypto_hash__open_and_load");return;}prog_fd = bpf_program__fd(skel->progs.test_sha256);err = bpf_prog_test_run_opts(prog_fd, &topts);ASSERT_OK(err, "test_sha256");ASSERT_EQ(skel->data->sha256_status, 0, "sha256_status");ASSERT_EQ(memcmp(skel->bss->sha256_output, expected_sha256, 32), 0,"sha256_output_match");crypto_hash__destroy(skel);+}
nit: We have quite some duplicated code here. Maybe try to reuse some of the code?
Thanks, Song