publics
/
crypto


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
							// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package chacha20poly1305

import (
	"bytes"
	"crypto/cipher"
	cryptorand "crypto/rand"
	"encoding/hex"
	"fmt"
	"log"
	mathrand "math/rand"
	"strconv"
	"testing"
)

func TestVectors(t *testing.T) {
	for i, test := range chacha20Poly1305Tests {
		key, _ := hex.DecodeString(test.key)
		nonce, _ := hex.DecodeString(test.nonce)
		ad, _ := hex.DecodeString(test.aad)
		plaintext, _ := hex.DecodeString(test.plaintext)

		var (
			aead cipher.AEAD
			err  error
		)
		switch len(nonce) {
		case NonceSize:
			aead, err = New(key)
		case NonceSizeX:
			aead, err = NewX(key)
		default:
			t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
		}
		if err != nil {
			t.Fatal(err)
		}

		ct := aead.Seal(nil, nonce, plaintext, ad)
		if ctHex := hex.EncodeToString(ct); ctHex != test.out {
			t.Errorf("#%d: got %s, want %s", i, ctHex, test.out)
			continue
		}

		plaintext2, err := aead.Open(nil, nonce, ct, ad)
		if err != nil {
			t.Errorf("#%d: Open failed", i)
			continue
		}

		if !bytes.Equal(plaintext, plaintext2) {
			t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
			continue
		}

		if len(ad) > 0 {
			alterAdIdx := mathrand.Intn(len(ad))
			ad[alterAdIdx] ^= 0x80
			if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
				t.Errorf("#%d: Open was successful after altering additional data", i)
			}
			ad[alterAdIdx] ^= 0x80
		}

		alterNonceIdx := mathrand.Intn(aead.NonceSize())
		nonce[alterNonceIdx] ^= 0x80
		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
			t.Errorf("#%d: Open was successful after altering nonce", i)
		}
		nonce[alterNonceIdx] ^= 0x80

		alterCtIdx := mathrand.Intn(len(ct))
		ct[alterCtIdx] ^= 0x80
		if _, err := aead.Open(nil, nonce, ct, ad); err == nil {
			t.Errorf("#%d: Open was successful after altering ciphertext", i)
		}
		ct[alterCtIdx] ^= 0x80
	}
}

func TestRandom(t *testing.T) {
	// Some random tests to verify Open(Seal) == Plaintext
	f := func(t *testing.T, nonceSize int) {
		for i := 0; i < 256; i++ {
			var nonce = make([]byte, nonceSize)
			var key [32]byte

			al := mathrand.Intn(128)
			pl := mathrand.Intn(16384)
			ad := make([]byte, al)
			plaintext := make([]byte, pl)
			cryptorand.Read(key[:])
			cryptorand.Read(nonce[:])
			cryptorand.Read(ad)
			cryptorand.Read(plaintext)

			var (
				aead cipher.AEAD
				err  error
			)
			switch len(nonce) {
			case NonceSize:
				aead, err = New(key[:])
			case NonceSizeX:
				aead, err = NewX(key[:])
			default:
				t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
			}
			if err != nil {
				t.Fatal(err)
			}

			ct := aead.Seal(nil, nonce[:], plaintext, ad)

			plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
			if err != nil {
				t.Errorf("Random #%d: Open failed", i)
				continue
			}

			if !bytes.Equal(plaintext, plaintext2) {
				t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
				continue
			}

			if len(ad) > 0 {
				alterAdIdx := mathrand.Intn(len(ad))
				ad[alterAdIdx] ^= 0x80
				if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
					t.Errorf("Random #%d: Open was successful after altering additional data", i)
				}
				ad[alterAdIdx] ^= 0x80
			}

			alterNonceIdx := mathrand.Intn(aead.NonceSize())
			nonce[alterNonceIdx] ^= 0x80
			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
				t.Errorf("Random #%d: Open was successful after altering nonce", i)
			}
			nonce[alterNonceIdx] ^= 0x80

			alterCtIdx := mathrand.Intn(len(ct))
			ct[alterCtIdx] ^= 0x80
			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
				t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
			}
			ct[alterCtIdx] ^= 0x80
		}
	}
	t.Run("Standard", func(t *testing.T) { f(t, NonceSize) })
	t.Run("X", func(t *testing.T) { f(t, NonceSizeX) })
}

func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
	b.ReportAllocs()
	b.SetBytes(int64(len(buf)))

	var key [32]byte
	var nonce = make([]byte, nonceSize)
	var ad [13]byte
	var out []byte

	var aead cipher.AEAD
	switch len(nonce) {
	case NonceSize:
		aead, _ = New(key[:])
	case NonceSizeX:
		aead, _ = NewX(key[:])
	}

	b.ResetTimer()
	for i := 0; i < b.N; i++ {
		out = aead.Seal(out[:0], nonce[:], buf[:], ad[:])
	}
}

func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
	b.ReportAllocs()
	b.SetBytes(int64(len(buf)))

	var key [32]byte
	var nonce = make([]byte, nonceSize)
	var ad [13]byte
	var ct []byte
	var out []byte

	var aead cipher.AEAD
	switch len(nonce) {
	case NonceSize:
		aead, _ = New(key[:])
	case NonceSizeX:
		aead, _ = NewX(key[:])
	}
	ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:])

	b.ResetTimer()
	for i := 0; i < b.N; i++ {
		out, _ = aead.Open(out[:0], nonce[:], ct[:], ad[:])
	}
}

func BenchmarkChacha20Poly1305(b *testing.B) {
	for _, length := range []int{64, 1350, 8 * 1024} {
		b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) {
			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
		})
		b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) {
			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
		})

		b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
		})
		b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
		})
	}
}

var key = make([]byte, KeySize)

func ExampleNewX() {
	aead, err := NewX(key)
	if err != nil {
		log.Fatalln("Failed to instantiate XChaCha20-Poly1305:", err)
	}

	for _, msg := range []string{
		"Attack at dawn.",
		"The eagle has landed.",
		"Gophers, gophers, gophers everywhere!",
	} {
		// Encryption.
		nonce := make([]byte, NonceSizeX)
		if _, err := cryptorand.Read(nonce); err != nil {
			panic(err)
		}
		ciphertext := aead.Seal(nil, nonce, []byte(msg), nil)

		// Decryption.
		plaintext, err := aead.Open(nil, nonce, ciphertext, nil)
		if err != nil {
			log.Fatalln("Failed to decrypt or authenticate message:", err)
		}

		fmt.Printf("%s\n", plaintext)
	}

	// Output: Attack at dawn.
	// The eagle has landed.
	// Gophers, gophers, gophers everywhere!
}