| // Copyright 2016 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package chacha20 |
| |
| import ( |
| "bytes" |
| "encoding/hex" |
| "fmt" |
| "math/rand" |
| "testing" |
| ) |
| |
| func _() { |
| // Assert that bufSize is a multiple of blockSize. |
| var b [1]byte |
| _ = b[bufSize%blockSize] |
| } |
| |
| func hexDecode(s string) []byte { |
| ss, err := hex.DecodeString(s) |
| if err != nil { |
| panic(fmt.Sprintf("cannot decode input %#v: %v", s, err)) |
| } |
| return ss |
| } |
| |
| // Run the test cases with the input and output in different buffers. |
| func TestNoOverlap(t *testing.T) { |
| for _, c := range testVectors { |
| s, _ := NewUnauthenticatedCipher(hexDecode(c.key), hexDecode(c.nonce)) |
| input := hexDecode(c.input) |
| output := make([]byte, len(input)) |
| s.XORKeyStream(output, input) |
| got := hex.EncodeToString(output) |
| if got != c.output { |
| t.Errorf("length=%v: got %#v, want %#v", len(input), got, c.output) |
| } |
| } |
| } |
| |
| // Run the test cases with the input and output overlapping entirely. |
| func TestOverlap(t *testing.T) { |
| for _, c := range testVectors { |
| s, _ := NewUnauthenticatedCipher(hexDecode(c.key), hexDecode(c.nonce)) |
| data := hexDecode(c.input) |
| s.XORKeyStream(data, data) |
| got := hex.EncodeToString(data) |
| if got != c.output { |
| t.Errorf("length=%v: got %#v, want %#v", len(data), got, c.output) |
| } |
| } |
| } |
| |
| // Run the test cases with various source and destination offsets. |
| func TestUnaligned(t *testing.T) { |
| const max = 8 // max offset (+1) to test |
| for _, c := range testVectors { |
| data := hexDecode(c.input) |
| input := make([]byte, len(data)+max) |
| output := make([]byte, len(data)+max) |
| for i := 0; i < max; i++ { // input offsets |
| for j := 0; j < max; j++ { // output offsets |
| s, _ := NewUnauthenticatedCipher(hexDecode(c.key), hexDecode(c.nonce)) |
| |
| input := input[i : i+len(data)] |
| output := output[j : j+len(data)] |
| |
| copy(input, data) |
| s.XORKeyStream(output, input) |
| got := hex.EncodeToString(output) |
| if got != c.output { |
| t.Errorf("length=%v: got %#v, want %#v", len(data), got, c.output) |
| } |
| } |
| } |
| } |
| } |
| |
| // Run the test cases by calling XORKeyStream multiple times. |
| func TestStep(t *testing.T) { |
| // wide range of step sizes to try and hit edge cases |
| steps := [...]int{1, 3, 4, 7, 8, 17, 24, 30, 64, 256} |
| rnd := rand.New(rand.NewSource(123)) |
| for _, c := range testVectors { |
| s, _ := NewUnauthenticatedCipher(hexDecode(c.key), hexDecode(c.nonce)) |
| input := hexDecode(c.input) |
| output := make([]byte, len(input)) |
| |
| // step through the buffers |
| i, step := 0, steps[rnd.Intn(len(steps))] |
| for i+step < len(input) { |
| s.XORKeyStream(output[i:i+step], input[i:i+step]) |
| if i+step < len(input) && output[i+step] != 0 { |
| t.Errorf("length=%v, i=%v, step=%v: output overwritten", len(input), i, step) |
| } |
| i += step |
| step = steps[rnd.Intn(len(steps))] |
| } |
| // finish the encryption |
| s.XORKeyStream(output[i:], input[i:]) |
| // ensure we tolerate a call with an empty input |
| s.XORKeyStream(output[len(output):], input[len(input):]) |
| |
| got := hex.EncodeToString(output) |
| if got != c.output { |
| t.Errorf("length=%v: got %#v, want %#v", len(input), got, c.output) |
| } |
| } |
| } |
| |
| func TestSetCounter(t *testing.T) { |
| newCipher := func() *Cipher { |
| s, _ := NewUnauthenticatedCipher(make([]byte, KeySize), make([]byte, NonceSize)) |
| return s |
| } |
| s := newCipher() |
| src := bytes.Repeat([]byte("test"), 32) // two 64-byte blocks |
| dst1 := make([]byte, len(src)) |
| s.XORKeyStream(dst1, src) |
| // advance counter to 1 and xor second block |
| s = newCipher() |
| s.SetCounter(1) |
| dst2 := make([]byte, len(src)) |
| s.XORKeyStream(dst2[64:], src[64:]) |
| if !bytes.Equal(dst1[64:], dst2[64:]) { |
| t.Error("failed to produce identical output using SetCounter") |
| } |
| |
| // test again with unaligned blocks; SetCounter should reset the buffer |
| s = newCipher() |
| s.XORKeyStream(dst1[:70], src[:70]) |
| s = newCipher() |
| s.XORKeyStream([]byte{0}, []byte{0}) |
| s.SetCounter(1) |
| s.XORKeyStream(dst2[64:70], src[64:70]) |
| if !bytes.Equal(dst1[64:70], dst2[64:70]) { |
| t.Error("SetCounter did not reset buffer") |
| } |
| |
| // advancing to a lower counter value should cause a panic |
| panics := func(fn func()) (p bool) { |
| defer func() { p = recover() != nil }() |
| fn() |
| return |
| } |
| if !panics(func() { s.SetCounter(0) }) { |
| t.Error("counter decreasing should trigger a panic") |
| } |
| } |
| |
| func TestLastBlock(t *testing.T) { |
| panics := func(fn func()) (p bool) { |
| defer func() { p = recover() != nil }() |
| fn() |
| return |
| } |
| |
| checkLastBlock := func(b []byte) { |
| t.Helper() |
| // Hardcoded result to check all implementations generate the same output. |
| lastBlock := "ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d" + |
| "92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d" |
| if got := hex.EncodeToString(b); got != lastBlock { |
| t.Errorf("wrong output for the last block, got %q, want %q", got, lastBlock) |
| } |
| } |
| |
| // setting the counter to 0xffffffff and crypting multiple blocks should |
| // trigger a panic |
| s, _ := NewUnauthenticatedCipher(make([]byte, KeySize), make([]byte, NonceSize)) |
| s.SetCounter(0xffffffff) |
| blocks := make([]byte, blockSize*2) |
| if !panics(func() { s.XORKeyStream(blocks, blocks) }) { |
| t.Error("crypting multiple blocks should trigger a panic") |
| } |
| |
| // setting the counter to 0xffffffff - 1 and crypting two blocks should not |
| // trigger a panic |
| s, _ = NewUnauthenticatedCipher(make([]byte, KeySize), make([]byte, NonceSize)) |
| s.SetCounter(0xffffffff - 1) |
| if panics(func() { s.XORKeyStream(blocks, blocks) }) { |
| t.Error("crypting the last blocks should not trigger a panic") |
| } |
| checkLastBlock(blocks[blockSize:]) |
| // once all the keystream is spent, setting the counter should panic |
| if !panics(func() { s.SetCounter(0xffffffff) }) { |
| t.Error("setting the counter after overflow should trigger a panic") |
| } |
| // crypting a subsequent block *should* panic |
| block := make([]byte, blockSize) |
| if !panics(func() { s.XORKeyStream(block, block) }) { |
| t.Error("crypting after overflow should trigger a panic") |
| } |
| |
| // if we crypt less than a full block, we should be able to crypt the rest |
| // in a subsequent call without panicking |
| s, _ = NewUnauthenticatedCipher(make([]byte, KeySize), make([]byte, NonceSize)) |
| s.SetCounter(0xffffffff) |
| if panics(func() { s.XORKeyStream(block[:7], block[:7]) }) { |
| t.Error("crypting part of the last block should not trigger a panic") |
| } |
| if panics(func() { s.XORKeyStream(block[7:], block[7:]) }) { |
| t.Error("crypting part of the last block should not trigger a panic") |
| } |
| checkLastBlock(block) |
| // as before, a third call should trigger a panic because all keystream is spent |
| if !panics(func() { s.XORKeyStream(block[:1], block[:1]) }) { |
| t.Error("crypting after overflow should trigger a panic") |
| } |
| } |
| |
| func benchmarkChaCha20(b *testing.B, step, count int) { |
| tot := step * count |
| src := make([]byte, tot) |
| dst := make([]byte, tot) |
| key := make([]byte, KeySize) |
| nonce := make([]byte, NonceSize) |
| b.SetBytes(int64(tot)) |
| b.ResetTimer() |
| for i := 0; i < b.N; i++ { |
| c, _ := NewUnauthenticatedCipher(key, nonce) |
| for i := 0; i < tot; i += step { |
| c.XORKeyStream(dst[i:], src[i:i+step]) |
| } |
| } |
| } |
| |
| func BenchmarkChaCha20(b *testing.B) { |
| b.Run("64", func(b *testing.B) { |
| benchmarkChaCha20(b, 64, 1) |
| }) |
| b.Run("256", func(b *testing.B) { |
| benchmarkChaCha20(b, 256, 1) |
| }) |
| b.Run("10x25", func(b *testing.B) { |
| benchmarkChaCha20(b, 10, 25) |
| }) |
| b.Run("4096", func(b *testing.B) { |
| benchmarkChaCha20(b, 4096, 1) |
| }) |
| b.Run("100x40", func(b *testing.B) { |
| benchmarkChaCha20(b, 100, 40) |
| }) |
| b.Run("65536", func(b *testing.B) { |
| benchmarkChaCha20(b, 65536, 1) |
| }) |
| b.Run("1000x65", func(b *testing.B) { |
| benchmarkChaCha20(b, 1000, 65) |
| }) |
| } |
| |
| func TestHChaCha20(t *testing.T) { |
| // See draft-irtf-cfrg-xchacha-00, Section 2.2.1. |
| key := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
| 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, |
| 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
| 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f} |
| nonce := []byte{0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4a, |
| 0x00, 0x00, 0x00, 0x00, 0x31, 0x41, 0x59, 0x27} |
| expected := []byte{0x82, 0x41, 0x3b, 0x42, 0x27, 0xb2, 0x7b, 0xfe, |
| 0xd3, 0x0e, 0x42, 0x50, 0x8a, 0x87, 0x7d, 0x73, |
| 0xa0, 0xf9, 0xe4, 0xd5, 0x8a, 0x74, 0xa8, 0x53, |
| 0xc1, 0x2e, 0xc4, 0x13, 0x26, 0xd3, 0xec, 0xdc, |
| } |
| result, err := HChaCha20(key[:], nonce[:]) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if !bytes.Equal(expected, result) { |
| t.Errorf("want %x, got %x", expected, result) |
| } |
| } |