boringssl/crypto/crypto_test.cc

/* Copyright (c) 2020, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

#include <stdio.h>
#include <string.h>

#include <string>

#include <openssl/base.h>
#include <openssl/crypto.h>
#include <openssl/cipher.h>
#include <openssl/mem.h>

#include <gtest/gtest.h>

// Test that OPENSSL_VERSION_NUMBER and OPENSSL_VERSION_TEXT are consistent.
// Node.js parses the version out of OPENSSL_VERSION_TEXT instead of using
// OPENSSL_VERSION_NUMBER.
TEST(CryptoTest, Version) {
  char expected[512];
  snprintf(expected, sizeof(expected), "OpenSSL %d.%d.%d ",
           OPENSSL_VERSION_NUMBER >> 28, (OPENSSL_VERSION_NUMBER >> 20) & 0xff,
           (OPENSSL_VERSION_NUMBER >> 12) & 0xff);
  EXPECT_EQ(expected,
            std::string(OPENSSL_VERSION_TEXT).substr(0, strlen(expected)));
}

TEST(CryptoTest, Strndup) {
  bssl::UniquePtr<char> str(OPENSSL_strndup(nullptr, 0));
  EXPECT_TRUE(str);
  EXPECT_STREQ("", str.get());
}

#if defined(BORINGSSL_FIPS_COUNTERS)
TEST(CryptoTest, FIPSCountersEVP) {
  constexpr struct {
    const EVP_CIPHER *(*cipher)();
    fips_counter_t counter;
  } kTests[] = {
    {
        EVP_aes_128_gcm,
        fips_counter_evp_aes_128_gcm,
    },
    {
        EVP_aes_256_gcm,
        fips_counter_evp_aes_256_gcm,
    },
    {
        EVP_aes_128_ctr,
        fips_counter_evp_aes_128_ctr,
    },
    {
        EVP_aes_256_ctr,
        fips_counter_evp_aes_256_ctr,
    },
  };

  uint8_t key[EVP_MAX_KEY_LENGTH] = {0};
  uint8_t iv[EVP_MAX_IV_LENGTH] = {1};

  for (const auto& test : kTests) {
    const size_t before = FIPS_read_counter(test.counter);

    bssl::ScopedEVP_CIPHER_CTX ctx;
    ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), test.cipher(), /*engine=*/nullptr,
                                   key, iv));
    ASSERT_GT(FIPS_read_counter(test.counter), before);
  }
}
#endif  // BORINGSSL_FIPS_COUNTERS
Bump OPENSSL_VERSION_NUMBER to 1.1.1. With TLS 1.3 and Ed25519 support, we're much closer to OpenSSL 1.1.1 these days than OpenSSL 1.1.0. I've also added a test to keep OPENSSL_VERSION_NUMBER and OPENSSL_VERSION_TEXT in sync. Update-Note: Some OPENSSL_VERSION_NUMBER/OPENSSL_IS_BORINGSSL checks may need to be updated. Hopefully even more can go away. Bug: 367 Change-Id: Idaa238b74f35993c9c03fec31f1346c15cf82968 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42864 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 5 years ago			`/* Copyright (c) 2020, Google Inc.`
			`*`
			`* Permission to use, copy, modify, and/or distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY`
			`* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION`
			`* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN`
			`* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */`

			`#include <stdio.h>`
			`#include <string.h>`

			`#include <string>`

			`#include <openssl/base.h>`
			`#include <openssl/crypto.h>`
fips: add counters. In order to provide evidence to auditors that high-level functions end up calling into the FIPS module, provide counters that allow for such monitoring. Change-Id: I55d45299f3050bf58077715ffa280210db156116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> 4 years ago			`#include <openssl/cipher.h>`
OPENSSL_strndup should not return NULL given {NULL, 0}. The NUL-terminated representation of the empty string is a non-NULL one-byte array, not NULL. This fills in the last of the empty string cases in https://boringssl-review.googlesource.com/c/boringssl/+/49006/ Change-Id: I66c09dc3223f762b708612987b26c90e41e27c4a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49009 Reviewed-by: Adam Langley <agl@google.com> 4 years ago			`#include <openssl/mem.h>`
Bump OPENSSL_VERSION_NUMBER to 1.1.1. With TLS 1.3 and Ed25519 support, we're much closer to OpenSSL 1.1.1 these days than OpenSSL 1.1.0. I've also added a test to keep OPENSSL_VERSION_NUMBER and OPENSSL_VERSION_TEXT in sync. Update-Note: Some OPENSSL_VERSION_NUMBER/OPENSSL_IS_BORINGSSL checks may need to be updated. Hopefully even more can go away. Bug: 367 Change-Id: Idaa238b74f35993c9c03fec31f1346c15cf82968 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42864 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 5 years ago
			`#include <gtest/gtest.h>`

			`// Test that OPENSSL_VERSION_NUMBER and OPENSSL_VERSION_TEXT are consistent.`
			`// Node.js parses the version out of OPENSSL_VERSION_TEXT instead of using`
			`// OPENSSL_VERSION_NUMBER.`
			`TEST(CryptoTest, Version) {`
			`char expected[512];`
			`snprintf(expected, sizeof(expected), "OpenSSL %d.%d.%d ",`
			`OPENSSL_VERSION_NUMBER >> 28, (OPENSSL_VERSION_NUMBER >> 20) & 0xff,`
			`(OPENSSL_VERSION_NUMBER >> 12) & 0xff);`
			`EXPECT_EQ(expected,`
			`std::string(OPENSSL_VERSION_TEXT).substr(0, strlen(expected)));`
			`}`
fips: add counters. In order to provide evidence to auditors that high-level functions end up calling into the FIPS module, provide counters that allow for such monitoring. Change-Id: I55d45299f3050bf58077715ffa280210db156116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> 4 years ago
OPENSSL_strndup should not return NULL given {NULL, 0}. The NUL-terminated representation of the empty string is a non-NULL one-byte array, not NULL. This fills in the last of the empty string cases in https://boringssl-review.googlesource.com/c/boringssl/+/49006/ Change-Id: I66c09dc3223f762b708612987b26c90e41e27c4a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49009 Reviewed-by: Adam Langley <agl@google.com> 4 years ago			`TEST(CryptoTest, Strndup) {`
			`bssl::UniquePtr<char> str(OPENSSL_strndup(nullptr, 0));`
			`EXPECT_TRUE(str);`
			`EXPECT_STREQ("", str.get());`
			`}`

fips: add counters. In order to provide evidence to auditors that high-level functions end up calling into the FIPS module, provide counters that allow for such monitoring. Change-Id: I55d45299f3050bf58077715ffa280210db156116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> 4 years ago			`#if defined(BORINGSSL_FIPS_COUNTERS)`
			`TEST(CryptoTest, FIPSCountersEVP) {`
			`constexpr struct {`
			`const EVP_CIPHER (cipher)();`
			`fips_counter_t counter;`
			`} kTests[] = {`
			`{`
			`EVP_aes_128_gcm,`
			`fips_counter_evp_aes_128_gcm,`
			`},`
			`{`
			`EVP_aes_256_gcm,`
			`fips_counter_evp_aes_256_gcm,`
			`},`
FIPS counters for AES-CTR. Change-Id: I0ea4c600741c3604d7b3b6df614b40d8c57116e4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46504 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> 4 years ago			`{`
			`EVP_aes_128_ctr,`
			`fips_counter_evp_aes_128_ctr,`
			`},`
			`{`
			`EVP_aes_256_ctr,`
			`fips_counter_evp_aes_256_ctr,`
			`},`
fips: add counters. In order to provide evidence to auditors that high-level functions end up calling into the FIPS module, provide counters that allow for such monitoring. Change-Id: I55d45299f3050bf58077715ffa280210db156116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> 4 years ago			`};`

			`uint8_t key[EVP_MAX_KEY_LENGTH] = {0};`
			`uint8_t iv[EVP_MAX_IV_LENGTH] = {1};`

			`for (const auto& test : kTests) {`
			`const size_t before = FIPS_read_counter(test.counter);`

			`bssl::ScopedEVP_CIPHER_CTX ctx;`
			`ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), test.cipher(), /engine=/nullptr,`
			`key, iv));`
			`ASSERT_GT(FIPS_read_counter(test.counter), before);`
			`}`
			`}`
			`#endif // BORINGSSL_FIPS_COUNTERS`