From nobody Sat Feb  7 23:23:45 2026
Received: from devnull.danielhodges.dev (vps-2f6e086e.vps.ovh.us
 [135.148.138.8])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7680472763;
	Tue, 20 Jan 2026 18:47:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=135.148.138.8
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768934881; cv=none;
 b=S6Zw34zSlFYtTaDee2Np/Pz1amy03M3PXxCTctLzXFUeT/3cl1CeDnjZhA433T0aoK8/PwQRrHpyvMrtDg24LPcGeIdvcQg3SbntVCaUdL+B/BVD0Jk48ufAiAI9Ezn+M36ncMKW1bTs1nA9D8Oxh/cmVQzbgD38L7as4MFutE0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768934881; c=relaxed/simple;
	bh=3FuApgmq8+qWG69vQDHLtWNQp6vT7O55dUIYfGh1gGs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=IsUCGvBNLJKk4xvOzl3Oc5Q6K3FN2atLGb3RWZ7U227S8Qe9LXTTRwF2IILWwtWXFDFMXnf18VdRCSu4LyA2YBUBg64gH6f4VsMkWYTs32VOx6Lt9crrIAmqwra8vfhVptUG5v8s67AMtc080Nq6xiNGY/phPCvoCShf1KHvWFw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=danielhodges.dev;
 spf=pass smtp.mailfrom=danielhodges.dev;
 dkim=pass (2048-bit key) header.d=danielhodges.dev header.i=@danielhodges.dev
 header.b=k5PE05wn;
 dkim=permerror (0-bit key) header.d=danielhodges.dev header.i=@danielhodges.dev
 header.b=LWck/hym; arc=none smtp.client-ip=135.148.138.8
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=danielhodges.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=danielhodges.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=danielhodges.dev header.i=@danielhodges.dev
 header.b="k5PE05wn";
	dkim=permerror (0-bit key) header.d=danielhodges.dev
 header.i=@danielhodges.dev header.b="LWck/hym"
DKIM-Signature: v=1; a=rsa-sha256; s=202510r; d=danielhodges.dev;
 c=relaxed/relaxed;
	h=Message-ID:Date:Subject:To:From; t=1768934823; bh=UE43xHU3G/DVn+cG5R+nrrj
	WXszYl0lrKfXaGE5ExpA=; b=k5PE05wn2EdSNmBroxAfoAXP6orPXl+1UQQlKcDRDcXETqjHGJ
	CW86T21FtuQWq+xwSNjoU/uAMmIcyDMMemojbtyagXACefoAtXwaBKsqhHJgQrSJgcbwls+8pQq
	TBiQonS20dNYAnYipfRTMuQmDqJEtkYrzPfS8lOnpA5OPSQKAJlltwjV8Qvb2FrI3sHVxDZPj1o
	BfS9tYKuanIoeyiR4BSfcV5nC8sJRucC66yn2ge/xfqHAwvd4DCq+y/E4lcq9Vt2CdK5Q3rxwWP
	lmh/warjzDU9LrctZVLfcGuoWGwrkIGSCEJErYEMqUPqgaTRCL7dK4ORMkRgkmtj8tw==;
DKIM-Signature: v=1; a=ed25519-sha256; s=202510e; d=danielhodges.dev;
 c=relaxed/relaxed;
	h=Message-ID:Date:Subject:To:From; t=1768934823; bh=UE43xHU3G/DVn+cG5R+nrrj
	WXszYl0lrKfXaGE5ExpA=; b=LWck/hymNIEqmseN6e6irM1YBHy7OGyhWSuRGT/r1MKHJlnTKG
	63vS7cLzf+GKaKNYk2ElaKc9Y2snSgD4XfDQ==;
From: Daniel Hodges <git@danielhodges.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Vadim Fedorenko <vadim.fedorenko@linux.dev>,
	Song Liu <song@kernel.org>,
	Mykyta Yatsenko <yatsenko@meta.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Yonghong Song <yonghong.song@linux.dev>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	Daniel Hodges <git@danielhodges.dev>
Subject: [PATCH bpf-next v5 5/7] selftests/bpf: Add tests for bpf_crypto_hash
 kfunc
Date: Tue, 20 Jan 2026 13:46:59 -0500
Message-ID: <20260120184701.23082-6-git@danielhodges.dev>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260120184701.23082-1-git@danielhodges.dev>
References: <20260120184701.23082-1-git@danielhodges.dev>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add selftests to validate the bpf_crypto_hash works properly. The tests
verify both correct functionality and proper error handling.

Test Data:
All tests use the well-known NIST test vector input "abc" and validate
against the standardized expected outputs for each algorithm. This ensures
the BPF kfunc wrappers correctly delegate to the kernel crypto library.

Signed-off-by: Daniel Hodges <git@danielhodges.dev>
---
 MAINTAINERS                                   |   2 +
 tools/testing/selftests/bpf/config            |   2 +
 .../selftests/bpf/prog_tests/crypto_hash.c    | 210 ++++++++++++++++
 .../selftests/bpf/progs/crypto_common.h       |   2 +
 .../testing/selftests/bpf/progs/crypto_hash.c | 235 ++++++++++++++++++
 5 files changed, 451 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/crypto_hash.c
 create mode 100644 tools/testing/selftests/bpf/progs/crypto_hash.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 62d712a1f730..d23ea38b606f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4718,6 +4718,8 @@ F:	crypto/bpf_crypto_sig.c
 F:	crypto/bpf_crypto_skcipher.c
 F:	include/linux/bpf_crypto.h
 F:	kernel/bpf/crypto.c
+F:	tools/testing/selftests/bpf/prog_tests/crypto_hash.c
+F:	tools/testing/selftests/bpf/progs/crypto_hash.c
=20
 BPF [DOCUMENTATION] (Related to Standardization)
 R:	David Vernet <void@manifault.com>
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/b=
pf/config
index 558839e3c185..814804f71780 100644
--- a/tools/testing/selftests/bpf/config
+++ b/tools/testing/selftests/bpf/config
@@ -13,6 +13,8 @@ CONFIG_BPF_SYSCALL=3Dy
 CONFIG_CGROUP_BPF=3Dy
 CONFIG_CRYPTO_HMAC=3Dy
 CONFIG_CRYPTO_SHA256=3Dy
+CONFIG_CRYPTO_SHA512=3Dy
+CONFIG_CRYPTO_HASH2=3Dy
 CONFIG_CRYPTO_USER_API=3Dy
 CONFIG_CRYPTO_USER_API_HASH=3Dy
 CONFIG_CRYPTO_USER_API_SKCIPHER=3Dy
diff --git a/tools/testing/selftests/bpf/prog_tests/crypto_hash.c b/tools/t=
esting/selftests/bpf/prog_tests/crypto_hash.c
new file mode 100644
index 000000000000..0c78b5f46c9c
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/crypto_hash.c
@@ -0,0 +1,210 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */
+
+#include <test_progs.h>
+#include <errno.h>
+#include "crypto_hash.skel.h"
+
+/* NIST test vectors for SHA-256("abc") */
+static const unsigned char expected_sha256[32] =3D {
+	0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
+	0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
+	0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
+	0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
+};
+
+/* NIST test vectors for SHA-384("abc") */
+static const unsigned char expected_sha384[48] =3D {
+	0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b,
+	0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07,
+	0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63,
+	0x1a, 0x8b, 0x60, 0x5a, 0x43, 0xff, 0x5b, 0xed,
+	0x80, 0x86, 0x07, 0x2b, 0xa1, 0xe7, 0xcc, 0x23,
+	0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7
+};
+
+/* NIST test vectors for SHA-512("abc") */
+static const unsigned char expected_sha512[64] =3D {
+	0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba,
+	0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,
+	0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2,
+	0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,
+	0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,
+	0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,
+	0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e,
+	0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f
+};
+
+static struct crypto_hash *setup_skel(void)
+{
+	struct crypto_hash *skel;
+
+	skel =3D crypto_hash__open_and_load();
+	if (!skel) {
+		/* Skip if kfuncs not available (CONFIG_CRYPTO_HASH2 not set) */
+		if (errno =3D=3D ENOENT || errno =3D=3D EINVAL) {
+			test__skip();
+			return NULL;
+		}
+		ASSERT_OK_PTR(skel, "crypto_hash__open_and_load");
+		return NULL;
+	}
+
+	return skel;
+}
+
+static void test_sha256_basic(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_sha256);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_sha256");
+	ASSERT_EQ(skel->data->sha256_status, 0, "sha256_status");
+	ASSERT_EQ(memcmp(skel->bss->sha256_output, expected_sha256, 32), 0,
+		  "sha256_output_match");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_sha384_basic(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+	prog_fd =3D bpf_program__fd(skel->progs.test_sha384);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_sha384");
+	ASSERT_EQ(skel->data->sha384_status, 0, "sha384_status");
+	ASSERT_EQ(memcmp(skel->bss->sha384_output, expected_sha384, 48), 0,
+		  "sha384_output_match");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_sha512_basic(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_sha512);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_sha512");
+	ASSERT_EQ(skel->data->sha512_status, 0, "sha512_status");
+	ASSERT_EQ(memcmp(skel->bss->sha512_output, expected_sha512, 64), 0,
+		  "sha512_output_match");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_sha256_invalid_params(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_sha256_zero_len);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_zero_len");
+	ASSERT_EQ(skel->data->sha256_status, 0, "zero_len_rejected");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_hash_with_key_rejected(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_hash_with_key_rejected);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_hash_with_key_rejected");
+	ASSERT_EQ(skel->data->hash_with_key_status, 0, "hash_with_key_rejected");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_hash_output_too_small(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_hash_output_too_small);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_hash_output_too_small");
+	ASSERT_EQ(skel->data->hash_output_too_small_status, 0, "hash_output_too_s=
mall");
+
+	crypto_hash__destroy(skel);
+}
+
+static void test_hash_on_skcipher_ctx(void)
+{
+	struct crypto_hash *skel;
+	int err, prog_fd;
+
+	LIBBPF_OPTS(bpf_test_run_opts, topts);
+
+	skel =3D setup_skel();
+	if (!skel)
+		return;
+
+	prog_fd =3D bpf_program__fd(skel->progs.test_hash_on_skcipher_ctx);
+	err =3D bpf_prog_test_run_opts(prog_fd, &topts);
+	ASSERT_OK(err, "test_hash_on_skcipher_ctx");
+	ASSERT_EQ(skel->data->hash_on_skcipher_status, 0, "hash_on_skcipher_rejec=
ted");
+
+	crypto_hash__destroy(skel);
+}
+
+void test_crypto_hash(void)
+{
+	if (test__start_subtest("sha256_basic"))
+		test_sha256_basic();
+	if (test__start_subtest("sha384_basic"))
+		test_sha384_basic();
+	if (test__start_subtest("sha512_basic"))
+		test_sha512_basic();
+	if (test__start_subtest("sha256_invalid_params"))
+		test_sha256_invalid_params();
+	if (test__start_subtest("hash_with_key_rejected"))
+		test_hash_with_key_rejected();
+	if (test__start_subtest("hash_output_too_small"))
+		test_hash_output_too_small();
+	if (test__start_subtest("hash_on_skcipher_ctx"))
+		test_hash_on_skcipher_ctx();
+}
diff --git a/tools/testing/selftests/bpf/progs/crypto_common.h b/tools/test=
ing/selftests/bpf/progs/crypto_common.h
index 57dd7a68a8c3..2f04f08f890b 100644
--- a/tools/testing/selftests/bpf/progs/crypto_common.h
+++ b/tools/testing/selftests/bpf/progs/crypto_common.h
@@ -15,6 +15,8 @@ int bpf_crypto_encrypt(struct bpf_crypto_ctx *ctx, const =
struct bpf_dynptr *src,
 		       const struct bpf_dynptr *dst, const struct bpf_dynptr *iv) __ksym;
 int bpf_crypto_decrypt(struct bpf_crypto_ctx *ctx, const struct bpf_dynptr=
 *src,
 		       const struct bpf_dynptr *dst, const struct bpf_dynptr *iv) __ksym;
+int bpf_crypto_hash(struct bpf_crypto_ctx *ctx, const struct bpf_dynptr *d=
ata,
+		    const struct bpf_dynptr *out) __ksym;
=20
 struct __crypto_ctx_value {
 	struct bpf_crypto_ctx __kptr * ctx;
diff --git a/tools/testing/selftests/bpf/progs/crypto_hash.c b/tools/testin=
g/selftests/bpf/progs/crypto_hash.c
new file mode 100644
index 000000000000..e6eacbc40607
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/crypto_hash.c
@@ -0,0 +1,235 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+#include "bpf_kfuncs.h"
+#include "crypto_common.h"
+
+unsigned char test_input[3] =3D "abc";
+
+/* Expected SHA-256 hash of "abc" */
+/* ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad=
 */
+unsigned char expected_sha256[32] =3D {
+	0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
+	0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
+	0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
+	0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
+};
+
+/* Output buffers for test results */
+unsigned char sha256_output[32] =3D {};
+unsigned char sha384_output[48] =3D {};
+unsigned char sha512_output[64] =3D {};
+unsigned char small_output[16] =3D {}; /* Intentionally small for output_t=
oo_small test */
+
+int sha256_status =3D -1;
+int sha384_status =3D -1;
+int sha512_status =3D -1;
+int hash_with_key_status =3D -1;
+int hash_output_too_small_status =3D -1;
+int hash_on_skcipher_status =3D -1;
+
+SEC("syscall")
+int test_sha256(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha256",
+		.key_len =3D 0,
+	};
+	int err =3D 0;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		sha256_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr);
+	bpf_dynptr_from_mem(sha256_output, sizeof(sha256_output), 0, &output_ptr);
+
+	sha256_status =3D bpf_crypto_hash(hash_ctx, &input_ptr, &output_ptr);
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+SEC("syscall")
+int test_sha384(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha384",
+		.key_len =3D 0,
+	};
+	int err =3D 0;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		sha384_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr);
+	bpf_dynptr_from_mem(sha384_output, sizeof(sha384_output), 0, &output_ptr);
+
+	sha384_status =3D bpf_crypto_hash(hash_ctx, &input_ptr, &output_ptr);
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+SEC("syscall")
+int test_sha512(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha512",
+		.key_len =3D 0,
+	};
+	int err =3D 0;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		sha512_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr);
+	bpf_dynptr_from_mem(sha512_output, sizeof(sha512_output), 0, &output_ptr);
+
+	sha512_status =3D bpf_crypto_hash(hash_ctx, &input_ptr, &output_ptr);
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+SEC("syscall")
+int test_sha256_zero_len(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha256",
+		.key_len =3D 0,
+	};
+	int err =3D 0;
+	int ret;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		sha256_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, 0, 0, &input_ptr);
+	bpf_dynptr_from_mem(sha256_output, sizeof(sha256_output), 0, &output_ptr);
+
+	ret =3D bpf_crypto_hash(hash_ctx, &input_ptr, &output_ptr);
+	sha256_status =3D (ret =3D=3D -22) ? 0 : ret;
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+/* Test that hash context creation with a key is rejected */
+SEC("syscall")
+int test_hash_with_key_rejected(void *ctx)
+{
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha256",
+		.key_len =3D 16, /* Hash algorithms don't support keys */
+	};
+	int err =3D 0;
+
+	/* Set some dummy key data */
+	params.key[0] =3D 0x01;
+	params.key[1] =3D 0x02;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		/* Expected: should fail with -EINVAL (-22) */
+		hash_with_key_status =3D (err =3D=3D -22) ? 0 : err;
+		return 0;
+	}
+
+	/* Should not reach here - context creation should have failed */
+	hash_with_key_status =3D -1;
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+/* Test that hash with output buffer too small is rejected */
+SEC("syscall")
+int test_hash_output_too_small(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *hash_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "hash",
+		.algo =3D "sha256",
+		.key_len =3D 0,
+	};
+	int err =3D 0;
+	int ret;
+
+	hash_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!hash_ctx) {
+		hash_output_too_small_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr);
+	bpf_dynptr_from_mem(small_output, sizeof(small_output), 0, &output_ptr);
+
+	ret =3D bpf_crypto_hash(hash_ctx, &input_ptr, &output_ptr);
+	/* Expected: should fail with -EINVAL (-22) */
+	hash_output_too_small_status =3D (ret =3D=3D -22) ? 0 : ret;
+	bpf_crypto_ctx_release(hash_ctx);
+	return 0;
+}
+
+/* Test that calling bpf_crypto_hash on skcipher context fails */
+SEC("syscall")
+int test_hash_on_skcipher_ctx(void *ctx)
+{
+	struct bpf_dynptr input_ptr, output_ptr;
+	struct bpf_crypto_ctx *cipher_ctx;
+	struct bpf_crypto_params params =3D {
+		.type =3D "skcipher",
+		.algo =3D "ecb(aes)",
+		.key_len =3D 16,
+	};
+	int err =3D 0;
+	int ret;
+
+	/* Set a valid AES-128 key */
+	params.key[0] =3D 0x00; params.key[1] =3D 0x01; params.key[2] =3D 0x02; p=
arams.key[3] =3D 0x03;
+	params.key[4] =3D 0x04; params.key[5] =3D 0x05; params.key[6] =3D 0x06; p=
arams.key[7] =3D 0x07;
+	params.key[8] =3D 0x08; params.key[9] =3D 0x09; params.key[10] =3D 0x0a; =
params.key[11] =3D 0x0b;
+	params.key[12] =3D 0x0c; params.key[13] =3D 0x0d; params.key[14] =3D 0x0e=
; params.key[15] =3D 0x0f;
+
+	cipher_ctx =3D bpf_crypto_ctx_create(&params, sizeof(params), &err);
+	if (!cipher_ctx) {
+		hash_on_skcipher_status =3D err;
+		return 0;
+	}
+
+	bpf_dynptr_from_mem(test_input, sizeof(test_input), 0, &input_ptr);
+	bpf_dynptr_from_mem(sha256_output, sizeof(sha256_output), 0, &output_ptr);
+
+	ret =3D bpf_crypto_hash(cipher_ctx, &input_ptr, &output_ptr);
+	/* Expected: should fail with -EINVAL (-22) due to type_id mismatch */
+	hash_on_skcipher_status =3D (ret =3D=3D -22) ? 0 : ret;
+	bpf_crypto_ctx_release(cipher_ctx);
+	return 0;
+}
+
+char __license[] SEC("license") =3D "GPL";
--=20
2.52.0