fips: add counters.

In order to provide evidence to auditors that high-level functions end
up calling into the FIPS module, provide counters that allow for such
monitoring.

Change-Id: I55d45299f3050bf58077715ffa280210db156116
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

1 files changed, 31 insertions, 0 deletions

diff --git a/crypto/crypto_test.cc b/crypto/crypto_test.cc
index f6c2374..ccb0956 100644
--- a/crypto/crypto_test.cc
+++ b/crypto/crypto_test.cc
@@ -19,6 +19,7 @@
 
 #include <openssl/base.h>
 #include <openssl/crypto.h>
+#include <openssl/cipher.h>
 
 #include <gtest/gtest.h>
 
@@ -33,3 +34,33 @@ TEST(CryptoTest, Version) {
   EXPECT_EQ(expected,
             std::string(OPENSSL_VERSION_TEXT).substr(0, strlen(expected)));
 }
+
+#if defined(BORINGSSL_FIPS_COUNTERS)
+TEST(CryptoTest, FIPSCountersEVP) {
+  constexpr struct {
+    const EVP_CIPHER *(*cipher)();
+    fips_counter_t counter;
+  } kTests[] = {
+    {
+        EVP_aes_128_gcm,
+        fips_counter_evp_aes_128_gcm,
+    },
+    {
+        EVP_aes_256_gcm,
+        fips_counter_evp_aes_256_gcm,
+    },
+  };
+
+  uint8_t key[EVP_MAX_KEY_LENGTH] = {0};
+  uint8_t iv[EVP_MAX_IV_LENGTH] = {1};
+
+  for (const auto& test : kTests) {
+    const size_t before = FIPS_read_counter(test.counter);
+
+    bssl::ScopedEVP_CIPHER_CTX ctx;
+    ASSERT_TRUE(EVP_EncryptInit_ex(ctx.get(), test.cipher(), /*engine=*/nullptr,
+                                   key, iv));
+    ASSERT_GT(FIPS_read_counter(test.counter), before);
+  }
+}
+#endif  // BORINGSSL_FIPS_COUNTERS