1 // Copyright 2024 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <gtest/gtest.h>
16
17 #include <openssl/aead.h>
18 #include <openssl/ssl.h>
19
20 #include "internal.h"
21
22
23 #if !defined(BORINGSSL_SHARED_LIBRARY)
24 BSSL_NAMESPACE_BEGIN
25 namespace {
26
TEST(ReconstructSeqnumTest,Increment)27 TEST(ReconstructSeqnumTest, Increment) {
28 // Test simple cases from the beginning of an epoch with both 8- and 16-bit
29 // wire sequence numbers.
30 EXPECT_EQ(reconstruct_seqnum(0, 0xff, 0), 0u);
31 EXPECT_EQ(reconstruct_seqnum(1, 0xff, 0), 1u);
32 EXPECT_EQ(reconstruct_seqnum(2, 0xff, 0), 2u);
33 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, 0), 0u);
34 EXPECT_EQ(reconstruct_seqnum(1, 0xffff, 0), 1u);
35 EXPECT_EQ(reconstruct_seqnum(2, 0xffff, 0), 2u);
36
37 // When the max seen sequence number is 0, the numerically closest
38 // reconstructed sequence number could be negative. Sequence numbers are
39 // non-negative, so reconstruct_seqnum should instead return the closest
40 // non-negative number instead of returning a number congruent to that
41 // closest negative number mod 2^64.
42 EXPECT_EQ(reconstruct_seqnum(0xff, 0xff, 0), 0xffu);
43 EXPECT_EQ(reconstruct_seqnum(0xfe, 0xff, 0), 0xfeu);
44 EXPECT_EQ(reconstruct_seqnum(0xffff, 0xffff, 0), 0xffffu);
45 EXPECT_EQ(reconstruct_seqnum(0xfffe, 0xffff, 0), 0xfffeu);
46
47 // When the wire sequence number is less than the corresponding low bytes of
48 // the max seen sequence number, check that the next larger sequence number
49 // is reconstructed as its numerically closer than the corresponding sequence
50 // number that would keep the high order bits the same.
51 EXPECT_EQ(reconstruct_seqnum(0, 0xff, 0xff), 0x100u);
52 EXPECT_EQ(reconstruct_seqnum(1, 0xff, 0xff), 0x101u);
53 EXPECT_EQ(reconstruct_seqnum(2, 0xff, 0xff), 0x102u);
54 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, 0xffff), 0x10000u);
55 EXPECT_EQ(reconstruct_seqnum(1, 0xffff, 0xffff), 0x10001u);
56 EXPECT_EQ(reconstruct_seqnum(2, 0xffff, 0xffff), 0x10002u);
57
58 // Test cases when the wire sequence number is close to the largest magnitude
59 // that can be represented in 8 or 16 bits.
60 EXPECT_EQ(reconstruct_seqnum(0xff, 0xff, 0x2f0), 0x2ffu);
61 EXPECT_EQ(reconstruct_seqnum(0xfe, 0xff, 0x2f0), 0x2feu);
62 EXPECT_EQ(reconstruct_seqnum(0xffff, 0xffff, 0x2f000), 0x2ffffu);
63 EXPECT_EQ(reconstruct_seqnum(0xfffe, 0xffff, 0x2f000), 0x2fffeu);
64
65 // Test that reconstruct_seqnum can return the maximum sequence number,
66 // 2^48-1.
67 constexpr uint64_t kMaxSequence = (uint64_t{1} << 48) - 1;
68 EXPECT_EQ(reconstruct_seqnum(0xff, 0xff, kMaxSequence), kMaxSequence);
69 EXPECT_EQ(reconstruct_seqnum(0xff, 0xff, kMaxSequence - 1), kMaxSequence);
70 EXPECT_EQ(reconstruct_seqnum(0xffff, 0xffff, kMaxSequence), kMaxSequence);
71 EXPECT_EQ(reconstruct_seqnum(0xffff, 0xffff, kMaxSequence - 1), kMaxSequence);
72 }
73
TEST(ReconstructSeqnumTest,Decrement)74 TEST(ReconstructSeqnumTest, Decrement) {
75 // Test that the sequence number 0 can be reconstructed when the max
76 // seen sequence number is greater than 0.
77 EXPECT_EQ(reconstruct_seqnum(0, 0xff, 0x10), 0u);
78 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, 0x1000), 0u);
79
80 // Test cases where the reconstructed sequence number is less than the max
81 // seen sequence number.
82 EXPECT_EQ(reconstruct_seqnum(0, 0xff, 0x210), 0x200u);
83 EXPECT_EQ(reconstruct_seqnum(2, 0xff, 0x210), 0x202u);
84 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, 0x43210), 0x40000u);
85 EXPECT_EQ(reconstruct_seqnum(2, 0xffff, 0x43210), 0x40002u);
86
87 // Test when the wire sequence number is greater than the low bits of the
88 // max seen sequence number.
89 EXPECT_EQ(reconstruct_seqnum(0xff, 0xff, 0x200), 0x1ffu);
90 EXPECT_EQ(reconstruct_seqnum(0xfe, 0xff, 0x200), 0x1feu);
91 EXPECT_EQ(reconstruct_seqnum(0xffff, 0xffff, 0x20000), 0x1ffffu);
92 EXPECT_EQ(reconstruct_seqnum(0xfffe, 0xffff, 0x20000), 0x1fffeu);
93
94 constexpr uint64_t kMaxSequence = (uint64_t{1} << 48) - 1;
95 // kMaxSequence00 is kMaxSequence with the last byte replaced with 0x00.
96 constexpr uint64_t kMaxSequence00 = kMaxSequence - 0xff;
97 // kMaxSequence0000 is kMaxSequence with the last byte replaced with 0x0000.
98 constexpr uint64_t kMaxSequence0000 = kMaxSequence - 0xffff;
99
100 // Test when the max seen sequence number is close to the 2^48-1 max value.
101 // In some cases, the closest numerical value in the integers will exceed the
102 // limit. In this case, reconstruct_seqnum should return the closest integer
103 // within range.
104 EXPECT_EQ(reconstruct_seqnum(0, 0xff, kMaxSequence), kMaxSequence00);
105 EXPECT_EQ(reconstruct_seqnum(0, 0xff, kMaxSequence - 1), kMaxSequence00);
106 EXPECT_EQ(reconstruct_seqnum(1, 0xff, kMaxSequence), kMaxSequence00 + 0x01);
107 EXPECT_EQ(reconstruct_seqnum(1, 0xff, kMaxSequence - 1),
108 kMaxSequence00 + 0x01);
109 EXPECT_EQ(reconstruct_seqnum(0xfe, 0xff, kMaxSequence),
110 kMaxSequence00 + 0xfe);
111 EXPECT_EQ(reconstruct_seqnum(0xfd, 0xff, kMaxSequence - 1),
112 kMaxSequence00 + 0xfd);
113 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, kMaxSequence), kMaxSequence0000);
114 EXPECT_EQ(reconstruct_seqnum(0, 0xffff, kMaxSequence - 1), kMaxSequence0000);
115 EXPECT_EQ(reconstruct_seqnum(1, 0xffff, kMaxSequence),
116 kMaxSequence0000 + 0x0001);
117 EXPECT_EQ(reconstruct_seqnum(1, 0xffff, kMaxSequence - 1),
118 kMaxSequence0000 + 0x0001);
119 EXPECT_EQ(reconstruct_seqnum(0xfffe, 0xffff, kMaxSequence),
120 kMaxSequence0000 + 0xfffe);
121 EXPECT_EQ(reconstruct_seqnum(0xfffd, 0xffff, kMaxSequence - 1),
122 kMaxSequence0000 + 0xfffd);
123 }
124
TEST(ReconstructSeqnumTest,Halfway)125 TEST(ReconstructSeqnumTest, Halfway) {
126 // Test wire sequence numbers that are close to halfway away from the max
127 // seen sequence number. The algorithm specifies that the output should be
128 // numerically closest to 1 plus the max seen (0x100 in the following test
129 // cases). With a max seen of 0x100 and a wire sequence of 0x81, the two
130 // closest values to 1+0x100 are 0x81 and 0x181, which are both the same
131 // amount away. The algorithm doesn't specify what to do on this edge case;
132 // our implementation chooses the larger value (0x181), on the assumption that
133 // it's more likely to be a new or larger sequence number rather than a replay
134 // or an out-of-order packet.
135 EXPECT_EQ(reconstruct_seqnum(0x80, 0xff, 0x100), 0x180u);
136 EXPECT_EQ(reconstruct_seqnum(0x81, 0xff, 0x100), 0x181u);
137 EXPECT_EQ(reconstruct_seqnum(0x82, 0xff, 0x100), 0x82u);
138
139 // Repeat these tests with 16-bit wire sequence numbers.
140 EXPECT_EQ(reconstruct_seqnum(0x8000, 0xffff, 0x10000), 0x18000u);
141 EXPECT_EQ(reconstruct_seqnum(0x8001, 0xffff, 0x10000), 0x18001u);
142 EXPECT_EQ(reconstruct_seqnum(0x8002, 0xffff, 0x10000), 0x8002u);
143 }
144
TEST(DTLSMessageBitmapTest,Basic)145 TEST(DTLSMessageBitmapTest, Basic) {
146 // expect_bitmap checks that |b|'s unmarked bits are those listed in |ranges|.
147 // Each element of |ranges| must be non-empty and non-overlapping, and
148 // |ranges| must be sorted.
149 auto expect_bitmap = [](const DTLSMessageBitmap &b,
150 const std::vector<DTLSMessageBitmap::Range> &ranges) {
151 EXPECT_EQ(ranges.empty(), b.IsComplete());
152 size_t start = 0;
153 for (const auto &r : ranges) {
154 for (; start < r.start; start++) {
155 SCOPED_TRACE(start);
156 EXPECT_EQ(b.NextUnmarkedRange(start), r);
157 }
158 for (; start < r.end; start++) {
159 SCOPED_TRACE(start);
160 EXPECT_EQ(b.NextUnmarkedRange(start),
161 (DTLSMessageBitmap::Range{start, r.end}));
162 }
163 }
164 EXPECT_TRUE(b.NextUnmarkedRange(start).empty());
165 EXPECT_TRUE(b.NextUnmarkedRange(start + 1).empty());
166 EXPECT_TRUE(b.NextUnmarkedRange(start + 42).empty());
167
168 // This is implied from the previous checks, but NextUnmarkedRange should
169 // work as an iterator to reconstruct the ranges.
170 std::vector<DTLSMessageBitmap::Range> got_ranges;
171 for (auto r = b.NextUnmarkedRange(0); !r.empty();
172 r = b.NextUnmarkedRange(r.end)) {
173 got_ranges.push_back(r);
174 }
175 EXPECT_EQ(ranges, got_ranges);
176 };
177
178 // Initially, the bitmap is empty (fully marked).
179 DTLSMessageBitmap bitmap;
180 expect_bitmap(bitmap, {});
181
182 // It can also be initialized to the empty message and marked.
183 ASSERT_TRUE(bitmap.Init(0));
184 expect_bitmap(bitmap, {});
185 bitmap.MarkRange(0, 0);
186 expect_bitmap(bitmap, {});
187
188 // Track 100 bits and mark byte by byte.
189 ASSERT_TRUE(bitmap.Init(100));
190 expect_bitmap(bitmap, {{0, 100}});
191 for (size_t i = 0; i < 100; i++) {
192 SCOPED_TRACE(i);
193 bitmap.MarkRange(i, i + 1);
194 if (i < 99) {
195 expect_bitmap(bitmap, {{i + 1, 100}});
196 } else {
197 expect_bitmap(bitmap, {});
198 }
199 }
200
201 // Do the same but in reverse.
202 ASSERT_TRUE(bitmap.Init(100));
203 expect_bitmap(bitmap, {{0, 100}});
204 for (size_t i = 100; i > 0; i--) {
205 SCOPED_TRACE(i);
206 bitmap.MarkRange(i - 1, i);
207 if (i > 1) {
208 expect_bitmap(bitmap, {{0, i - 1}});
209 } else {
210 expect_bitmap(bitmap, {});
211 }
212 }
213
214 // Overlapping ranges are fine.
215 ASSERT_TRUE(bitmap.Init(100));
216 expect_bitmap(bitmap, {{0, 100}});
217 for (size_t i = 0; i < 100; i++) {
218 SCOPED_TRACE(i);
219 bitmap.MarkRange(i / 2, i + 1);
220 if (i < 99) {
221 expect_bitmap(bitmap, {{i + 1, 100}});
222 } else {
223 expect_bitmap(bitmap, {});
224 }
225 }
226
227 // Mark the middle chunk of every power of 3.
228 ASSERT_TRUE(bitmap.Init(100));
229 bitmap.MarkRange(1, 2);
230 bitmap.MarkRange(3, 6);
231 bitmap.MarkRange(9, 18);
232 bitmap.MarkRange(27, 54);
233 bitmap.MarkRange(81, 162);
234 expect_bitmap(bitmap, {{0, 1}, {2, 3}, {6, 9}, {18, 27}, {54, 81}});
235
236 // Mark most of the chunk shifted down a bit, so it both overlaps the previous
237 // and also leaves some of the right chunks unmarked.
238 bitmap.MarkRange(6 - 2, 9 - 2);
239 bitmap.MarkRange(18 - 4, 27 - 4);
240 bitmap.MarkRange(54 - 8, 81 - 8);
241 expect_bitmap(bitmap,
242 {{0, 1}, {2, 3}, {9 - 2, 9}, {27 - 4, 27}, {81 - 8, 81}});
243
244 // Re-mark things that have already been marked.
245 bitmap.MarkRange(1, 2);
246 bitmap.MarkRange(3, 6);
247 bitmap.MarkRange(9, 18);
248 bitmap.MarkRange(27, 54);
249 bitmap.MarkRange(81, 162);
250 expect_bitmap(bitmap,
251 {{0, 1}, {2, 3}, {9 - 2, 9}, {27 - 4, 27}, {81 - 8, 81}});
252
253 // Moves should work.
254 DTLSMessageBitmap bitmap2 = std::move(bitmap);
255 expect_bitmap(bitmap, {});
256 expect_bitmap(bitmap2,
257 {{0, 1}, {2, 3}, {9 - 2, 9}, {27 - 4, 27}, {81 - 8, 81}});
258
259 // Mark everything in two large ranges.
260 bitmap2.MarkRange(27 - 2, 100);
261 expect_bitmap(bitmap2, {{0, 1}, {2, 3}, {9 - 2, 9}, {27 - 4, 27 - 2}});
262 bitmap2.MarkRange(0, 50);
263 expect_bitmap(bitmap2, {});
264
265 // MarkRange inputs may be "out of bounds". The bitmap has conceptually
266 // infinitely many marked bits past where it was initialized.
267 ASSERT_TRUE(bitmap.Init(10));
268 expect_bitmap(bitmap, {{0, 10}});
269 bitmap.MarkRange(5, SIZE_MAX);
270 expect_bitmap(bitmap, {{0, 5}});
271 bitmap.MarkRange(0, SIZE_MAX);
272 expect_bitmap(bitmap, {});
273 }
274
TEST(MRUQueueTest,Basic)275 TEST(MRUQueueTest, Basic) {
276 // Use a complex type to confirm the queue handles them correctly.
277 MRUQueue<std::unique_ptr<int>, 8> queue;
278 auto expect_queue = [&](const std::vector<int> &expected) {
279 EXPECT_EQ(queue.size(), expected.size());
280 EXPECT_EQ(queue.empty(), expected.empty());
281 std::vector<int> queue_values;
282 for (size_t i = 0; i < queue.size(); i++) {
283 queue_values.push_back(*queue[i]);
284 }
285 EXPECT_EQ(queue_values, expected);
286 };
287
288 expect_queue({});
289 queue.PushBack(std::make_unique<int>(1));
290 expect_queue({1});
291 queue.PushBack(std::make_unique<int>(2));
292 expect_queue({1, 2});
293 queue.PushBack(std::make_unique<int>(3));
294 expect_queue({1, 2, 3});
295 queue.PushBack(std::make_unique<int>(4));
296 expect_queue({1, 2, 3, 4});
297 queue.PushBack(std::make_unique<int>(5));
298 expect_queue({1, 2, 3, 4, 5});
299 queue.PushBack(std::make_unique<int>(6));
300 expect_queue({1, 2, 3, 4, 5, 6});
301 queue.PushBack(std::make_unique<int>(7));
302 expect_queue({1, 2, 3, 4, 5, 6, 7});
303 queue.PushBack(std::make_unique<int>(8));
304 expect_queue({1, 2, 3, 4, 5, 6, 7, 8});
305
306 // We are at capacity, so later additions will drop the start. Do more than 8
307 // insertions to test that the start index can wrap around.
308 queue.PushBack(std::make_unique<int>(9));
309 expect_queue({2, 3, 4, 5, 6, 7, 8, 9});
310 queue.PushBack(std::make_unique<int>(10));
311 expect_queue({3, 4, 5, 6, 7, 8, 9, 10});
312 queue.PushBack(std::make_unique<int>(11));
313 expect_queue({4, 5, 6, 7, 8, 9, 10, 11});
314 queue.PushBack(std::make_unique<int>(12));
315 expect_queue({5, 6, 7, 8, 9, 10, 11, 12});
316 queue.PushBack(std::make_unique<int>(13));
317 expect_queue({6, 7, 8, 9, 10, 11, 12, 13});
318 queue.PushBack(std::make_unique<int>(14));
319 expect_queue({7, 8, 9, 10, 11, 12, 13, 14});
320 queue.PushBack(std::make_unique<int>(15));
321 expect_queue({8, 9, 10, 11, 12, 13, 14, 15});
322 queue.PushBack(std::make_unique<int>(16));
323 expect_queue({9, 10, 11, 12, 13, 14, 15, 16});
324 queue.PushBack(std::make_unique<int>(17));
325 expect_queue({10, 11, 12, 13, 14, 15, 16, 17});
326
327 // Clearing the queue should not leave the start index in a bad place.
328 queue.Clear();
329 expect_queue({});
330 queue.PushBack(std::make_unique<int>(1));
331 expect_queue({1});
332 queue.PushBack(std::make_unique<int>(2));
333 expect_queue({1, 2});
334 queue.PushBack(std::make_unique<int>(3));
335 expect_queue({1, 2, 3});
336 }
337
TEST(SSLAEADContextTest,Lengths)338 TEST(SSLAEADContextTest, Lengths) {
339 struct LengthTest {
340 // All plaintext lengths from |min_plaintext_len| to |max_plaintext_len|
341 // should return in |cipertext_len|.
342 size_t min_plaintext_len;
343 size_t max_plaintext_len;
344 size_t ciphertext_len;
345 };
346
347 struct CipherLengthTest {
348 // |SSL3_CK_*| and |TLS1_CK_*| constants include an extra byte at the front,
349 // so these constants must be masked with 0xffff.
350 uint16_t cipher;
351 uint16_t version;
352 size_t enc_key_len, mac_key_len, fixed_iv_len;
353 size_t block_size;
354 std::vector<LengthTest> length_tests;
355 };
356
357 const CipherLengthTest kTests[] = {
358 // 20-byte MAC, 8-byte CBC blocks with padding
359 {
360 /*cipher=*/SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
361 /*version=*/TLS1_2_VERSION,
362 /*enc_key_len=*/24,
363 /*mac_key_len=*/20,
364 /*fixed_iv_len=*/0,
365 /*block_size=*/8,
366 {
367 {/*min_plaintext_len=*/0,
368 /*max_plaintext_len=*/3,
369 /*ciphertext_len=*/32},
370 {/*min_plaintext_len=*/4,
371 /*max_plaintext_len=*/11,
372 /*ciphertext_len=*/40},
373 {/*min_plaintext_len=*/12,
374 /*max_plaintext_len=*/19,
375 /*ciphertext_len=*/48},
376 },
377 },
378 // 20-byte MAC, 16-byte CBC blocks with padding
379 {
380 /*cipher=*/TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,
381 /*version=*/TLS1_2_VERSION,
382 /*enc_key_len=*/16,
383 /*mac_key_len=*/20,
384 /*fixed_iv_len=*/0,
385 /*block_size=*/16,
386 {
387 {/*min_plaintext_len=*/0,
388 /*max_plaintext_len=*/11,
389 /*ciphertext_len=*/48},
390 {/*min_plaintext_len=*/12,
391 /*max_plaintext_len=*/27,
392 /*ciphertext_len=*/64},
393 {/*min_plaintext_len=*/38,
394 /*max_plaintext_len=*/43,
395 /*ciphertext_len=*/80},
396 },
397 },
398 // 32-byte MAC, 16-byte CBC blocks with padding
399 {
400 /*cipher=*/TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff,
401 /*version=*/TLS1_2_VERSION,
402 /*enc_key_len=*/16,
403 /*mac_key_len=*/32,
404 /*fixed_iv_len=*/0,
405 /*block_size=*/16,
406 {
407 {/*min_plaintext_len=*/0,
408 /*max_plaintext_len=*/15,
409 /*ciphertext_len=*/64},
410 {/*min_plaintext_len=*/16,
411 /*max_plaintext_len=*/31,
412 /*ciphertext_len=*/80},
413 {/*min_plaintext_len=*/32,
414 /*max_plaintext_len=*/47,
415 /*ciphertext_len=*/96},
416 },
417 },
418 // 8-byte explicit IV, 16-byte tag
419 {
420 /*cipher=*/TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
421 /*version=*/TLS1_2_VERSION,
422 /*enc_key_len=*/16,
423 /*mac_key_len=*/0,
424 /*fixed_iv_len=*/4,
425 /*block_size=*/1,
426 {
427 {/*min_plaintext_len=*/0,
428 /*max_plaintext_len=*/0,
429 /*ciphertext_len=*/24},
430 {/*min_plaintext_len=*/1,
431 /*max_plaintext_len=*/1,
432 /*ciphertext_len=*/25},
433 {/*min_plaintext_len=*/2,
434 /*max_plaintext_len=*/2,
435 /*ciphertext_len=*/26},
436 {/*min_plaintext_len=*/42,
437 /*max_plaintext_len=*/42,
438 /*ciphertext_len=*/66},
439 },
440 },
441 // No explicit IV, 16-byte tag. TLS 1.3's padding and record type overhead
442 // is added at another layer.
443 {
444 /*cipher=*/TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
445 /*version=*/TLS1_2_VERSION,
446 /*enc_key_len=*/32,
447 /*mac_key_len=*/0,
448 /*fixed_iv_len=*/12,
449 /*block_size=*/1,
450 {
451 {/*min_plaintext_len=*/0,
452 /*max_plaintext_len=*/0,
453 /*ciphertext_len=*/16},
454 {/*min_plaintext_len=*/1,
455 /*max_plaintext_len=*/1,
456 /*ciphertext_len=*/17},
457 {/*min_plaintext_len=*/2,
458 /*max_plaintext_len=*/2,
459 /*ciphertext_len=*/18},
460 {/*min_plaintext_len=*/42,
461 /*max_plaintext_len=*/42,
462 /*ciphertext_len=*/58},
463 },
464 },
465 {
466 /*cipher=*/TLS1_CK_AES_128_GCM_SHA256 & 0xffff,
467 /*version=*/TLS1_3_VERSION,
468 /*enc_key_len=*/16,
469 /*mac_key_len=*/0,
470 /*fixed_iv_len=*/12,
471 /*block_size=*/1,
472 {
473 {/*min_plaintext_len=*/0,
474 /*max_plaintext_len=*/0,
475 /*ciphertext_len=*/16},
476 {/*min_plaintext_len=*/1,
477 /*max_plaintext_len=*/1,
478 /*ciphertext_len=*/17},
479 {/*min_plaintext_len=*/2,
480 /*max_plaintext_len=*/2,
481 /*ciphertext_len=*/18},
482 {/*min_plaintext_len=*/42,
483 /*max_plaintext_len=*/42,
484 /*ciphertext_len=*/58},
485 },
486 },
487 {
488 /*cipher=*/TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
489 /*version=*/TLS1_3_VERSION,
490 /*enc_key_len=*/32,
491 /*mac_key_len=*/0,
492 /*fixed_iv_len=*/12,
493 /*block_size=*/1,
494 {
495 {/*min_plaintext_len=*/0,
496 /*max_plaintext_len=*/0,
497 /*ciphertext_len=*/16},
498 {/*min_plaintext_len=*/1,
499 /*max_plaintext_len=*/1,
500 /*ciphertext_len=*/17},
501 {/*min_plaintext_len=*/2,
502 /*max_plaintext_len=*/2,
503 /*ciphertext_len=*/18},
504 {/*min_plaintext_len=*/42,
505 /*max_plaintext_len=*/42,
506 /*ciphertext_len=*/58},
507 },
508 },
509 };
510
511 for (const auto &cipher_test : kTests) {
512 const SSL_CIPHER *cipher =
513 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher_test.cipher));
514 ASSERT_TRUE(cipher) << "Could not find cipher " << cipher_test.cipher;
515 SCOPED_TRACE(SSL_CIPHER_standard_name(cipher));
516
517 const uint8_t kZeros[EVP_AEAD_MAX_KEY_LENGTH] = {0};
518 UniquePtr<SSLAEADContext> aead =
519 SSLAEADContext::Create(evp_aead_seal, cipher_test.version, cipher,
520 Span(kZeros).first(cipher_test.enc_key_len),
521 Span(kZeros).first(cipher_test.mac_key_len),
522 Span(kZeros).first(cipher_test.fixed_iv_len));
523 ASSERT_TRUE(aead);
524
525 for (const auto &t : cipher_test.length_tests) {
526 SCOPED_TRACE(t.ciphertext_len);
527
528 for (size_t plaintext_len = t.min_plaintext_len;
529 plaintext_len <= t.max_plaintext_len; plaintext_len++) {
530 SCOPED_TRACE(plaintext_len);
531 size_t out_len;
532 ASSERT_TRUE(aead->CiphertextLen(&out_len, plaintext_len, 0));
533 EXPECT_EQ(out_len, t.ciphertext_len);
534 }
535
536 EXPECT_EQ(aead->MaxSealInputLen(t.ciphertext_len), t.max_plaintext_len);
537 for (size_t extra = 0; extra < cipher_test.block_size; extra++) {
538 // Adding up to block_size - 1 bytes of space should not change how much
539 // room we have.
540 SCOPED_TRACE(extra);
541 EXPECT_EQ(aead->MaxSealInputLen(t.ciphertext_len + extra),
542 t.max_plaintext_len);
543 }
544 }
545 }
546 }
547
548 } // namespace
549 BSSL_NAMESPACE_END
550 #endif // !BORINGSSL_SHARED_LIBRARY
551