chacha20poly1305/chacha20poly1305_test.go - crypto - Git at Google

 // Copyright 2016 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package chacha20poly1305

 import (
 	"bytes"
 	"crypto/cipher"
 	cryptorand "crypto/rand"
 	"encoding/hex"
 	"fmt"
 	mathrand "math/rand"
 	"strconv"
 	"testing"
 )

 func TestVectors(t *testing.T) {
 	for i, test := range chacha20Poly1305Tests {
 		key, _ := hex.DecodeString(test.key)
 		nonce, _ := hex.DecodeString(test.nonce)
 		ad, _ := hex.DecodeString(test.aad)
 		plaintext, _ := hex.DecodeString(test.plaintext)

 		var (
 			aead cipher.AEAD
 			err  error
 		)
 		switch len(nonce) {
 		case NonceSize:
 			aead, err = New(key)
 		case NonceSizeX:
 			aead, err = NewX(key)
 		default:
 			t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
 		}
 		if err != nil {
 			t.Fatal(err)
 		}

 		ct := aead.Seal(nil, nonce, plaintext, ad)
 		if ctHex := hex.EncodeToString(ct); ctHex != test.out {
 			t.Errorf("#%d: got %s, want %s", i, ctHex, test.out)
 			continue
 		}

 		plaintext2, err := aead.Open(nil, nonce, ct, ad)
 		if err != nil {
 			t.Errorf("#%d: Open failed", i)
 			continue
 		}

 		if !bytes.Equal(plaintext, plaintext2) {
 			t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
 			continue
 		}

 		if len(ad) > 0 {
 			alterAdIdx := mathrand.Intn(len(ad))
 			ad[alterAdIdx] ^= 0x80
 			if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
 				t.Errorf("#%d: Open was successful after altering additional data", i)
 			}
 			ad[alterAdIdx] ^= 0x80
 		}

 		alterNonceIdx := mathrand.Intn(aead.NonceSize())
 		nonce[alterNonceIdx] ^= 0x80
 		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
 			t.Errorf("#%d: Open was successful after altering nonce", i)
 		}
 		nonce[alterNonceIdx] ^= 0x80

 		alterCtIdx := mathrand.Intn(len(ct))
 		ct[alterCtIdx] ^= 0x80
 		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
 			t.Errorf("#%d: Open was successful after altering ciphertext", i)
 		}
 		ct[alterCtIdx] ^= 0x80
 	}
 }

 func TestRandom(t *testing.T) {
 	// Some random tests to verify Open(Seal) == Plaintext
 	f := func(t *testing.T, nonceSize int) {
 		for i := 0; i < 256; i++ {
 			var nonce = make([]byte, nonceSize)
 			var key [32]byte

 			al := mathrand.Intn(128)
 			pl := mathrand.Intn(16384)
 			ad := make([]byte, al)
 			plaintext := make([]byte, pl)
 			cryptorand.Read(key[:])
 			cryptorand.Read(nonce[:])
 			cryptorand.Read(ad)
 			cryptorand.Read(plaintext)

 			var (
 				aead cipher.AEAD
 				err  error
 			)
 			switch len(nonce) {
 			case NonceSize:
 				aead, err = New(key[:])
 			case NonceSizeX:
 				aead, err = NewX(key[:])
 			default:
 				t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
 			}
 			if err != nil {
 				t.Fatal(err)
 			}

 			ct := aead.Seal(nil, nonce[:], plaintext, ad)

 			plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
 			if err != nil {
 				t.Errorf("Random #%d: Open failed", i)
 				continue
 			}

 			if !bytes.Equal(plaintext, plaintext2) {
 				t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
 				continue
 			}

 			if len(ad) > 0 {
 				alterAdIdx := mathrand.Intn(len(ad))
 				ad[alterAdIdx] ^= 0x80
 				if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
 					t.Errorf("Random #%d: Open was successful after altering additional data", i)
 				}
 				ad[alterAdIdx] ^= 0x80
 			}

 			alterNonceIdx := mathrand.Intn(aead.NonceSize())
 			nonce[alterNonceIdx] ^= 0x80
 			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
 				t.Errorf("Random #%d: Open was successful after altering nonce", i)
 			}
 			nonce[alterNonceIdx] ^= 0x80

 			alterCtIdx := mathrand.Intn(len(ct))
 			ct[alterCtIdx] ^= 0x80
 			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
 				t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
 			}
 			ct[alterCtIdx] ^= 0x80
 		}
 	}
 	t.Run("Standard", func(t *testing.T) { f(t, NonceSize) })
 	t.Run("X", func(t *testing.T) { f(t, NonceSizeX) })
 }

 func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
 	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))

 	var key [32]byte
 	var nonce = make([]byte, nonceSize)
 	var ad [13]byte
 	var out []byte

 	var aead cipher.AEAD
 	switch len(nonce) {
 	case NonceSize:
 		aead, _ = New(key[:])
 	case NonceSizeX:
 		aead, _ = NewX(key[:])
 	}

 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		out = aead.Seal(out[:0], nonce[:], buf[:], ad[:])
 	}
 }

 func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
 	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))

 	var key [32]byte
 	var nonce = make([]byte, nonceSize)
 	var ad [13]byte
 	var ct []byte
 	var out []byte

 	var aead cipher.AEAD
 	switch len(nonce) {
 	case NonceSize:
 		aead, _ = New(key[:])
 	case NonceSizeX:
 		aead, _ = NewX(key[:])
 	}
 	ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:])

 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		out, _ = aead.Open(out[:0], nonce[:], ct[:], ad[:])
 	}
 }

 func BenchmarkChacha20Poly1305(b *testing.B) {
 	for _, length := range []int{64, 1350, 8 * 1024} {
 		b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) {
 			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
 		})
 		b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) {
 			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
 		})

 		b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
 			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
 		})
 		b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
 			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
 		})
 	}
 }

 func ExampleNewX() {
 	// key should be randomly generated or derived from a function like Argon2.
 	key := make([]byte, KeySize)
 	if _, err := cryptorand.Read(key); err != nil {
 		panic(err)
 	}

 	aead, err := NewX(key)
 	if err != nil {
 		panic(err)
 	}

 	// Encryption.
 	var encryptedMsg []byte
 	{
 		msg := []byte("Gophers, gophers, gophers everywhere!")

 		// Select a random nonce, and leave capacity for the ciphertext.
 		nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead())
 		if _, err := cryptorand.Read(nonce); err != nil {
 			panic(err)
 		}

 		// Encrypt the message and append the ciphertext to the nonce.
 		encryptedMsg = aead.Seal(nonce, nonce, msg, nil)
 	}

 	// Decryption.
 	{
 		if len(encryptedMsg) < aead.NonceSize() {
 			panic("ciphertext too short")
 		}

 		// Split nonce and ciphertext.
 		nonce, ciphertext := encryptedMsg[:aead.NonceSize()], encryptedMsg[aead.NonceSize():]

 		// Decrypt the message and check it wasn't tampered with.
 		plaintext, err := aead.Open(nil, nonce, ciphertext, nil)
 		if err != nil {
 			panic(err)
 		}

 		fmt.Printf("%s\n", plaintext)
 	}

 	// Output: Gophers, gophers, gophers everywhere!
 }
	// Copyright 2016 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package chacha20poly1305

	import (
	"bytes"
	"crypto/cipher"
	cryptorand "crypto/rand"
	"encoding/hex"
	"fmt"
	mathrand "math/rand"
	"strconv"
	"testing"
	)

	func TestVectors(t *testing.T) {
	for i, test := range chacha20Poly1305Tests {
	key, _ := hex.DecodeString(test.key)
	nonce, _ := hex.DecodeString(test.nonce)
	ad, _ := hex.DecodeString(test.aad)
	plaintext, _ := hex.DecodeString(test.plaintext)

	var (
	aead cipher.AEAD
	err error
	)
	switch len(nonce) {
	case NonceSize:
	aead, err = New(key)
	case NonceSizeX:
	aead, err = NewX(key)
	default:
	t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
	}
	if err != nil {
	t.Fatal(err)
	}

	ct := aead.Seal(nil, nonce, plaintext, ad)
	if ctHex := hex.EncodeToString(ct); ctHex != test.out {
	t.Errorf("#%d: got %s, want %s", i, ctHex, test.out)
	continue
	}

	plaintext2, err := aead.Open(nil, nonce, ct, ad)
	if err != nil {
	t.Errorf("#%d: Open failed", i)
	continue
	}

	if !bytes.Equal(plaintext, plaintext2) {
	t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
	continue
	}

	if len(ad) > 0 {
	alterAdIdx := mathrand.Intn(len(ad))
	ad[alterAdIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
	t.Errorf("#%d: Open was successful after altering additional data", i)
	}
	ad[alterAdIdx] ^= 0x80
	}

	alterNonceIdx := mathrand.Intn(aead.NonceSize())
	nonce[alterNonceIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
	t.Errorf("#%d: Open was successful after altering nonce", i)
	}
	nonce[alterNonceIdx] ^= 0x80

	alterCtIdx := mathrand.Intn(len(ct))
	ct[alterCtIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
	t.Errorf("#%d: Open was successful after altering ciphertext", i)
	}
	ct[alterCtIdx] ^= 0x80
	}
	}

	func TestRandom(t *testing.T) {
	// Some random tests to verify Open(Seal) == Plaintext
	f := func(t *testing.T, nonceSize int) {
	for i := 0; i < 256; i++ {
	var nonce = make([]byte, nonceSize)
	var key [32]byte

	al := mathrand.Intn(128)
	pl := mathrand.Intn(16384)
	ad := make([]byte, al)
	plaintext := make([]byte, pl)
	cryptorand.Read(key[:])
	cryptorand.Read(nonce[:])
	cryptorand.Read(ad)
	cryptorand.Read(plaintext)

	var (
	aead cipher.AEAD
	err error
	)
	switch len(nonce) {
	case NonceSize:
	aead, err = New(key[:])
	case NonceSizeX:
	aead, err = NewX(key[:])
	default:
	t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
	}
	if err != nil {
	t.Fatal(err)
	}

	ct := aead.Seal(nil, nonce[:], plaintext, ad)

	plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
	if err != nil {
	t.Errorf("Random #%d: Open failed", i)
	continue
	}

	if !bytes.Equal(plaintext, plaintext2) {
	t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
	continue
	}

	if len(ad) > 0 {
	alterAdIdx := mathrand.Intn(len(ad))
	ad[alterAdIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
	t.Errorf("Random #%d: Open was successful after altering additional data", i)
	}
	ad[alterAdIdx] ^= 0x80
	}

	alterNonceIdx := mathrand.Intn(aead.NonceSize())
	nonce[alterNonceIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
	t.Errorf("Random #%d: Open was successful after altering nonce", i)
	}
	nonce[alterNonceIdx] ^= 0x80

	alterCtIdx := mathrand.Intn(len(ct))
	ct[alterCtIdx] ^= 0x80
	if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
	t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
	}
	ct[alterCtIdx] ^= 0x80
	}
	}
	t.Run("Standard", func(t *testing.T) { f(t, NonceSize) })
	t.Run("X", func(t *testing.T) { f(t, NonceSizeX) })
	}

	func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
	b.ReportAllocs()
	b.SetBytes(int64(len(buf)))

	var key [32]byte
	var nonce = make([]byte, nonceSize)
	var ad [13]byte
	var out []byte

	var aead cipher.AEAD
	switch len(nonce) {
	case NonceSize:
	aead, _ = New(key[:])
	case NonceSizeX:
	aead, _ = NewX(key[:])
	}

	b.ResetTimer()
	for i := 0; i < b.N; i++ {
	out = aead.Seal(out[:0], nonce[:], buf[:], ad[:])
	}
	}

	func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
	b.ReportAllocs()
	b.SetBytes(int64(len(buf)))

	var key [32]byte
	var nonce = make([]byte, nonceSize)
	var ad [13]byte
	var ct []byte
	var out []byte

	var aead cipher.AEAD
	switch len(nonce) {
	case NonceSize:
	aead, _ = New(key[:])
	case NonceSizeX:
	aead, _ = NewX(key[:])
	}
	ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:])

	b.ResetTimer()
	for i := 0; i < b.N; i++ {
	out, _ = aead.Open(out[:0], nonce[:], ct[:], ad[:])
	}
	}

	func BenchmarkChacha20Poly1305(b *testing.B) {
	for _, length := range []int{64, 1350, 8 * 1024} {
	b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) {
	benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
	})
	b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) {
	benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
	})

	b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
	benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
	})
	b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
	benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
	})
	}
	}

	func ExampleNewX() {
	// key should be randomly generated or derived from a function like Argon2.
	key := make([]byte, KeySize)
	if _, err := cryptorand.Read(key); err != nil {
	panic(err)
	}

	aead, err := NewX(key)
	if err != nil {
	panic(err)
	}

	// Encryption.
	var encryptedMsg []byte
	{
	msg := []byte("Gophers, gophers, gophers everywhere!")

	// Select a random nonce, and leave capacity for the ciphertext.
	nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead())
	if _, err := cryptorand.Read(nonce); err != nil {
	panic(err)
	}

	// Encrypt the message and append the ciphertext to the nonce.
	encryptedMsg = aead.Seal(nonce, nonce, msg, nil)
	}

	// Decryption.
	{
	if len(encryptedMsg) < aead.NonceSize() {
	panic("ciphertext too short")
	}

	// Split nonce and ciphertext.
	nonce, ciphertext := encryptedMsg[:aead.NonceSize()], encryptedMsg[aead.NonceSize():]

	// Decrypt the message and check it wasn't tampered with.
	plaintext, err := aead.Open(nil, nonce, ciphertext, nil)
	if err != nil {
	panic(err)
	}

	fmt.Printf("%s\n", plaintext)
	}

	// Output: Gophers, gophers, gophers everywhere!
	}