|  | // Copyright 2016 The Go Authors. All rights reserved. | 
|  | // Use of this source code is governed by a BSD-style | 
|  | // license that can be found in the LICENSE file. | 
|  |  | 
|  | package chacha20poly1305 | 
|  |  | 
|  | import ( | 
|  | "bytes" | 
|  | "crypto/cipher" | 
|  | cryptorand "crypto/rand" | 
|  | "encoding/hex" | 
|  | "fmt" | 
|  | mathrand "math/rand" | 
|  | "strconv" | 
|  | "testing" | 
|  | ) | 
|  |  | 
|  | func TestVectors(t *testing.T) { | 
|  | for i, test := range chacha20Poly1305Tests { | 
|  | key, _ := hex.DecodeString(test.key) | 
|  | nonce, _ := hex.DecodeString(test.nonce) | 
|  | ad, _ := hex.DecodeString(test.aad) | 
|  | plaintext, _ := hex.DecodeString(test.plaintext) | 
|  |  | 
|  | var ( | 
|  | aead cipher.AEAD | 
|  | err  error | 
|  | ) | 
|  | switch len(nonce) { | 
|  | case NonceSize: | 
|  | aead, err = New(key) | 
|  | case NonceSizeX: | 
|  | aead, err = NewX(key) | 
|  | default: | 
|  | t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce)) | 
|  | } | 
|  | if err != nil { | 
|  | t.Fatal(err) | 
|  | } | 
|  |  | 
|  | ct := aead.Seal(nil, nonce, plaintext, ad) | 
|  | if ctHex := hex.EncodeToString(ct); ctHex != test.out { | 
|  | t.Errorf("#%d: got %s, want %s", i, ctHex, test.out) | 
|  | continue | 
|  | } | 
|  |  | 
|  | plaintext2, err := aead.Open(nil, nonce, ct, ad) | 
|  | if err != nil { | 
|  | t.Errorf("#%d: Open failed", i) | 
|  | continue | 
|  | } | 
|  |  | 
|  | if !bytes.Equal(plaintext, plaintext2) { | 
|  | t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext) | 
|  | continue | 
|  | } | 
|  |  | 
|  | if len(ad) > 0 { | 
|  | alterAdIdx := mathrand.Intn(len(ad)) | 
|  | ad[alterAdIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce, ct, ad); err == nil { | 
|  | t.Errorf("#%d: Open was successful after altering additional data", i) | 
|  | } | 
|  | ad[alterAdIdx] ^= 0x80 | 
|  | } | 
|  |  | 
|  | alterNonceIdx := mathrand.Intn(aead.NonceSize()) | 
|  | nonce[alterNonceIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce, ct, ad); err == nil { | 
|  | t.Errorf("#%d: Open was successful after altering nonce", i) | 
|  | } | 
|  | nonce[alterNonceIdx] ^= 0x80 | 
|  |  | 
|  | alterCtIdx := mathrand.Intn(len(ct)) | 
|  | ct[alterCtIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce, ct, ad); err == nil { | 
|  | t.Errorf("#%d: Open was successful after altering ciphertext", i) | 
|  | } | 
|  | ct[alterCtIdx] ^= 0x80 | 
|  | } | 
|  | } | 
|  |  | 
|  | func TestRandom(t *testing.T) { | 
|  | // Some random tests to verify Open(Seal) == Plaintext | 
|  | f := func(t *testing.T, nonceSize int) { | 
|  | for i := 0; i < 256; i++ { | 
|  | var nonce = make([]byte, nonceSize) | 
|  | var key [32]byte | 
|  |  | 
|  | al := mathrand.Intn(128) | 
|  | pl := mathrand.Intn(16384) | 
|  | ad := make([]byte, al) | 
|  | plaintext := make([]byte, pl) | 
|  | cryptorand.Read(key[:]) | 
|  | cryptorand.Read(nonce[:]) | 
|  | cryptorand.Read(ad) | 
|  | cryptorand.Read(plaintext) | 
|  |  | 
|  | var ( | 
|  | aead cipher.AEAD | 
|  | err  error | 
|  | ) | 
|  | switch len(nonce) { | 
|  | case NonceSize: | 
|  | aead, err = New(key[:]) | 
|  | case NonceSizeX: | 
|  | aead, err = NewX(key[:]) | 
|  | default: | 
|  | t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce)) | 
|  | } | 
|  | if err != nil { | 
|  | t.Fatal(err) | 
|  | } | 
|  |  | 
|  | ct := aead.Seal(nil, nonce[:], plaintext, ad) | 
|  |  | 
|  | plaintext2, err := aead.Open(nil, nonce[:], ct, ad) | 
|  | if err != nil { | 
|  | t.Errorf("Random #%d: Open failed", i) | 
|  | continue | 
|  | } | 
|  |  | 
|  | if !bytes.Equal(plaintext, plaintext2) { | 
|  | t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext) | 
|  | continue | 
|  | } | 
|  |  | 
|  | if len(ad) > 0 { | 
|  | alterAdIdx := mathrand.Intn(len(ad)) | 
|  | ad[alterAdIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil { | 
|  | t.Errorf("Random #%d: Open was successful after altering additional data", i) | 
|  | } | 
|  | ad[alterAdIdx] ^= 0x80 | 
|  | } | 
|  |  | 
|  | alterNonceIdx := mathrand.Intn(aead.NonceSize()) | 
|  | nonce[alterNonceIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil { | 
|  | t.Errorf("Random #%d: Open was successful after altering nonce", i) | 
|  | } | 
|  | nonce[alterNonceIdx] ^= 0x80 | 
|  |  | 
|  | alterCtIdx := mathrand.Intn(len(ct)) | 
|  | ct[alterCtIdx] ^= 0x80 | 
|  | if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil { | 
|  | t.Errorf("Random #%d: Open was successful after altering ciphertext", i) | 
|  | } | 
|  | ct[alterCtIdx] ^= 0x80 | 
|  | } | 
|  | } | 
|  | t.Run("Standard", func(t *testing.T) { f(t, NonceSize) }) | 
|  | t.Run("X", func(t *testing.T) { f(t, NonceSizeX) }) | 
|  | } | 
|  |  | 
|  | func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) { | 
|  | b.ReportAllocs() | 
|  | b.SetBytes(int64(len(buf))) | 
|  |  | 
|  | var key [32]byte | 
|  | var nonce = make([]byte, nonceSize) | 
|  | var ad [13]byte | 
|  | var out []byte | 
|  |  | 
|  | var aead cipher.AEAD | 
|  | switch len(nonce) { | 
|  | case NonceSize: | 
|  | aead, _ = New(key[:]) | 
|  | case NonceSizeX: | 
|  | aead, _ = NewX(key[:]) | 
|  | } | 
|  |  | 
|  | b.ResetTimer() | 
|  | for i := 0; i < b.N; i++ { | 
|  | out = aead.Seal(out[:0], nonce[:], buf[:], ad[:]) | 
|  | } | 
|  | } | 
|  |  | 
|  | func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) { | 
|  | b.ReportAllocs() | 
|  | b.SetBytes(int64(len(buf))) | 
|  |  | 
|  | var key [32]byte | 
|  | var nonce = make([]byte, nonceSize) | 
|  | var ad [13]byte | 
|  | var ct []byte | 
|  | var out []byte | 
|  |  | 
|  | var aead cipher.AEAD | 
|  | switch len(nonce) { | 
|  | case NonceSize: | 
|  | aead, _ = New(key[:]) | 
|  | case NonceSizeX: | 
|  | aead, _ = NewX(key[:]) | 
|  | } | 
|  | ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:]) | 
|  |  | 
|  | b.ResetTimer() | 
|  | for i := 0; i < b.N; i++ { | 
|  | out, _ = aead.Open(out[:0], nonce[:], ct[:], ad[:]) | 
|  | } | 
|  | } | 
|  |  | 
|  | func BenchmarkChacha20Poly1305(b *testing.B) { | 
|  | for _, length := range []int{64, 1350, 8 * 1024} { | 
|  | b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) { | 
|  | benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize) | 
|  | }) | 
|  | b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) { | 
|  | benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize) | 
|  | }) | 
|  |  | 
|  | b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) { | 
|  | benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX) | 
|  | }) | 
|  | b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) { | 
|  | benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX) | 
|  | }) | 
|  | } | 
|  | } | 
|  |  | 
|  | func ExampleNewX() { | 
|  | // key should be randomly generated or derived from a function like Argon2. | 
|  | key := make([]byte, KeySize) | 
|  | if _, err := cryptorand.Read(key); err != nil { | 
|  | panic(err) | 
|  | } | 
|  |  | 
|  | aead, err := NewX(key) | 
|  | if err != nil { | 
|  | panic(err) | 
|  | } | 
|  |  | 
|  | // Encryption. | 
|  | var encryptedMsg []byte | 
|  | { | 
|  | msg := []byte("Gophers, gophers, gophers everywhere!") | 
|  |  | 
|  | // Select a random nonce, and leave capacity for the ciphertext. | 
|  | nonce := make([]byte, aead.NonceSize(), aead.NonceSize()+len(msg)+aead.Overhead()) | 
|  | if _, err := cryptorand.Read(nonce); err != nil { | 
|  | panic(err) | 
|  | } | 
|  |  | 
|  | // Encrypt the message and append the ciphertext to the nonce. | 
|  | encryptedMsg = aead.Seal(nonce, nonce, msg, nil) | 
|  | } | 
|  |  | 
|  | // Decryption. | 
|  | { | 
|  | if len(encryptedMsg) < aead.NonceSize() { | 
|  | panic("ciphertext too short") | 
|  | } | 
|  |  | 
|  | // Split nonce and ciphertext. | 
|  | nonce, ciphertext := encryptedMsg[:aead.NonceSize()], encryptedMsg[aead.NonceSize():] | 
|  |  | 
|  | // Decrypt the message and check it wasn't tampered with. | 
|  | plaintext, err := aead.Open(nil, nonce, ciphertext, nil) | 
|  | if err != nil { | 
|  | panic(err) | 
|  | } | 
|  |  | 
|  | fmt.Printf("%s\n", plaintext) | 
|  | } | 
|  |  | 
|  | // Output: Gophers, gophers, gophers everywhere! | 
|  | } |