| //! zeroize integration tests. |
| |
| use std::{ |
| marker::{PhantomData, PhantomPinned}, |
| mem::{size_of, MaybeUninit}, |
| num::*, |
| }; |
| use zeroize::*; |
| |
| #[cfg(feature = "std")] |
| use std::ffi::CString; |
| |
| #[derive(Clone, Debug, PartialEq)] |
| struct ZeroizedOnDrop(u64); |
| |
| impl Drop for ZeroizedOnDrop { |
| fn drop(&mut self) { |
| self.0.zeroize(); |
| } |
| } |
| |
| #[test] |
| fn non_zero() { |
| macro_rules! non_zero_test { |
| ($($type:ty),+) => { |
| $(let mut value = <$type>::new(42).unwrap(); |
| value.zeroize(); |
| assert_eq!(value.get(), 1);)+ |
| }; |
| } |
| |
| non_zero_test!( |
| NonZeroI8, |
| NonZeroI16, |
| NonZeroI32, |
| NonZeroI64, |
| NonZeroI128, |
| NonZeroIsize, |
| NonZeroU8, |
| NonZeroU16, |
| NonZeroU32, |
| NonZeroU64, |
| NonZeroU128, |
| NonZeroUsize |
| ); |
| } |
| |
| #[test] |
| fn zeroize_byte_arrays() { |
| let mut arr = [42u8; 137]; |
| arr.zeroize(); |
| assert_eq!(arr.as_ref(), [0u8; 137].as_ref()); |
| } |
| |
| #[test] |
| fn zeroize_on_drop_byte_arrays() { |
| let mut arr = [ZeroizedOnDrop(42); 1]; |
| unsafe { core::ptr::drop_in_place(&mut arr) }; |
| assert_eq!(arr.as_ref(), [ZeroizedOnDrop(0); 1].as_ref()); |
| } |
| |
| #[test] |
| fn zeroize_maybeuninit_byte_arrays() { |
| let mut arr = [MaybeUninit::new(42u64); 64]; |
| arr.zeroize(); |
| let arr_init: [u64; 64] = unsafe { core::mem::transmute(arr) }; |
| assert_eq!(arr_init, [0u64; 64]); |
| } |
| |
| #[test] |
| fn zeroize_check_zerosize_types() { |
| // Since we assume these types have zero size, we test this holds for |
| // the current version of Rust. |
| assert_eq!(size_of::<()>(), 0); |
| assert_eq!(size_of::<PhantomPinned>(), 0); |
| assert_eq!(size_of::<PhantomData<usize>>(), 0); |
| } |
| |
| #[test] |
| fn zeroize_check_tuple() { |
| let mut tup1 = (42u8,); |
| tup1.zeroize(); |
| assert_eq!(tup1, (0u8,)); |
| |
| let mut tup2 = (42u8, 42u8); |
| tup2.zeroize(); |
| assert_eq!(tup2, (0u8, 0u8)); |
| } |
| |
| #[test] |
| fn zeroize_on_drop_check_tuple() { |
| let mut tup1 = (ZeroizedOnDrop(42),); |
| unsafe { core::ptr::drop_in_place(&mut tup1) }; |
| assert_eq!(tup1, (ZeroizedOnDrop(0),)); |
| |
| let mut tup2 = (ZeroizedOnDrop(42), ZeroizedOnDrop(42)); |
| unsafe { core::ptr::drop_in_place(&mut tup2) }; |
| assert_eq!(tup2, (ZeroizedOnDrop(0), ZeroizedOnDrop(0))); |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn zeroize_vec() { |
| let mut vec = vec![42; 3]; |
| vec.zeroize(); |
| assert!(vec.is_empty()); |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn zeroize_vec_entire_capacity() { |
| #[derive(Clone)] |
| struct PanicOnNonZeroDrop(u64); |
| |
| impl Zeroize for PanicOnNonZeroDrop { |
| fn zeroize(&mut self) { |
| self.0 = 0; |
| } |
| } |
| |
| impl Drop for PanicOnNonZeroDrop { |
| fn drop(&mut self) { |
| if self.0 != 0 { |
| panic!("dropped non-zeroized data"); |
| } |
| } |
| } |
| |
| // Ensure that the entire capacity of the vec is zeroized and that no unitinialized data |
| // is ever interpreted as initialized |
| let mut vec = vec![PanicOnNonZeroDrop(42); 2]; |
| |
| unsafe { |
| vec.set_len(1); |
| } |
| |
| vec.zeroize(); |
| |
| unsafe { |
| vec.set_len(2); |
| } |
| |
| drop(vec); |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn zeroize_string() { |
| let mut string = String::from("Hello, world!"); |
| string.zeroize(); |
| assert!(string.is_empty()); |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn zeroize_string_entire_capacity() { |
| let mut string = String::from("Hello, world!"); |
| string.truncate(5); |
| |
| string.zeroize(); |
| |
| // convert the string to a vec to easily access the unused capacity |
| let mut as_vec = string.into_bytes(); |
| unsafe { as_vec.set_len(as_vec.capacity()) }; |
| |
| assert!(as_vec.iter().all(|byte| *byte == 0)); |
| } |
| |
| // TODO(tarcieri): debug flaky test (with potential UB?) See: RustCrypto/utils#774 |
| #[cfg(feature = "std")] |
| #[ignore] |
| #[test] |
| fn zeroize_c_string() { |
| let mut cstring = CString::new("Hello, world!").expect("CString::new failed"); |
| let orig_len = cstring.as_bytes().len(); |
| let orig_ptr = cstring.as_bytes().as_ptr(); |
| cstring.zeroize(); |
| // This doesn't quite test that the original memory has been cleared, but only that |
| // cstring now owns an empty buffer |
| assert!(cstring.as_bytes().is_empty()); |
| for i in 0..orig_len { |
| unsafe { |
| // Using a simple deref, only one iteration of the loop is performed |
| // presumably because after zeroize, the internal buffer has a length of one/ |
| // `read_volatile` seems to "fix" this |
| // Note that this is very likely UB |
| assert_eq!(orig_ptr.add(i).read_volatile(), 0); |
| } |
| } |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn zeroize_box() { |
| let mut boxed_arr = Box::new([42u8; 3]); |
| boxed_arr.zeroize(); |
| assert_eq!(boxed_arr.as_ref(), &[0u8; 3]); |
| } |
| |
| #[cfg(feature = "alloc")] |
| #[test] |
| fn asref() { |
| let mut buffer: Zeroizing<Vec<u8>> = Default::default(); |
| let _asmut: &mut [u8] = buffer.as_mut(); |
| let _asref: &[u8] = buffer.as_ref(); |
| |
| let mut buffer: Zeroizing<Box<[u8]>> = Default::default(); |
| let _asmut: &mut [u8] = buffer.as_mut(); |
| let _asref: &[u8] = buffer.as_ref(); |
| } |