binarymatt
diff --git a/‎chacha20poly1305/chacha20poly1305.go‎
Lines changed: 6 additions & 2 deletions b/‎chacha20poly1305/chacha20poly1305.go‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎chacha20poly1305/chacha20poly1305_test.go‎
Lines changed: 111 additions & 74 deletions b/‎chacha20poly1305/chacha20poly1305_test.go‎
Lines changed: 111 additions & 74 deletions
diff --git a/‎chacha20poly1305/chacha20poly1305_vectors_test.go‎
Lines changed: 23 additions & 0 deletions b/‎chacha20poly1305/chacha20poly1305_vectors_test.go‎
Lines changed: 23 additions & 0 deletions
@@ -14,15 +14,19 @@ import (
 const (
 	// KeySize is the size of the key used by this AEAD, in bytes.
 	KeySize = 32
-	// NonceSize is the size of the nonce used with this AEAD, in bytes.
+	// NonceSize is the size of the nonce used with the standard variant of this
+	// AEAD, in bytes.
+	//
+	// Note that this is too short to be safely generated at random if the same
+	// key is reused more than 2³² times.
 	NonceSize = 12
 )
 
 type chacha20poly1305 struct {
 	key [8]uint32
 }
 
-// New returns a ChaCha20-Poly1305 AEAD that uses the given, 256-bit key.
+// New returns a ChaCha20-Poly1305 AEAD that uses the given 256-bit key.
 func New(key []byte) (cipher.AEAD, error) {
 	if len(key) != KeySize {
 		return nil, errors.New("chacha20poly1305: bad key length")
 
@@ -6,9 +6,11 @@ package chacha20poly1305
 
 import (
 	"bytes"
+	"crypto/cipher"
 	cr "crypto/rand"
 	"encoding/hex"
 	mr "math/rand"
+	"strconv"
 	"testing"
 )
 
@@ -19,7 +21,18 @@ func TestVectors(t *testing.T) {
 		ad, _ := hex.DecodeString(test.aad)
 		plaintext, _ := hex.DecodeString(test.plaintext)
 
-		aead, err := New(key)
+		var (
+			aead cipher.AEAD
+			err  error
+		)
+		switch len(nonce) {
+		case NonceSize:
+			aead, err = New(key)
+		case NonceSizeX:
+			aead, err = NewX(key)
+		default:
+			t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
+		}
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -68,87 +81,117 @@ func TestVectors(t *testing.T) {
 
 func TestRandom(t *testing.T) {
 	// Some random tests to verify Open(Seal) == Plaintext
-	for i := 0; i < 256; i++ {
-		var nonce [12]byte
-		var key [32]byte
-
-		al := mr.Intn(128)
-		pl := mr.Intn(16384)
-		ad := make([]byte, al)
-		plaintext := make([]byte, pl)
-		cr.Read(key[:])
-		cr.Read(nonce[:])
-		cr.Read(ad)
-		cr.Read(plaintext)
-
-		aead, err := New(key[:])
-		if err != nil {
-			t.Fatal(err)
-		}
+	f := func(t *testing.T, nonceSize int) {
+		for i := 0; i < 256; i++ {
+			var nonce = make([]byte, nonceSize)
+			var key [32]byte
+
+			al := mr.Intn(128)
+			pl := mr.Intn(16384)
+			ad := make([]byte, al)
+			plaintext := make([]byte, pl)
+			cr.Read(key[:])
+			cr.Read(nonce[:])
+			cr.Read(ad)
+			cr.Read(plaintext)
+
+			var (
+				aead cipher.AEAD
+				err  error
+			)
+			switch len(nonce) {
+			case NonceSize:
+				aead, err = New(key[:])
+			case NonceSizeX:
+				aead, err = NewX(key[:])
+			default:
+				t.Fatalf("#%d: wrong nonce length: %d", i, len(nonce))
+			}
+			if err != nil {
+				t.Fatal(err)
+			}
 
-		ct := aead.Seal(nil, nonce[:], plaintext, ad)
+			ct := aead.Seal(nil, nonce[:], plaintext, ad)
 
-		plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
-		if err != nil {
-			t.Errorf("Random #%d: Open failed", i)
-			continue
-		}
+			plaintext2, err := aead.Open(nil, nonce[:], ct, ad)
+			if err != nil {
+				t.Errorf("Random #%d: Open failed", i)
+				continue
+			}
 
-		if !bytes.Equal(plaintext, plaintext2) {
-			t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
-			continue
-		}
+			if !bytes.Equal(plaintext, plaintext2) {
+				t.Errorf("Random #%d: plaintext's don't match: got %x vs %x", i, plaintext2, plaintext)
+				continue
+			}
 
-		if len(ad) > 0 {
-			alterAdIdx := mr.Intn(len(ad))
-			ad[alterAdIdx] ^= 0x80
-			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-				t.Errorf("Random #%d: Open was successful after altering additional data", i)
+			if len(ad) > 0 {
+				alterAdIdx := mr.Intn(len(ad))
+				ad[alterAdIdx] ^= 0x80
+				if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
+					t.Errorf("Random #%d: Open was successful after altering additional data", i)
+				}
+				ad[alterAdIdx] ^= 0x80
 			}
-			ad[alterAdIdx] ^= 0x80
-		}
 
-		alterNonceIdx := mr.Intn(aead.NonceSize())
-		nonce[alterNonceIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-			t.Errorf("Random #%d: Open was successful after altering nonce", i)
-		}
-		nonce[alterNonceIdx] ^= 0x80
+			alterNonceIdx := mr.Intn(aead.NonceSize())
+			nonce[alterNonceIdx] ^= 0x80
+			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
+				t.Errorf("Random #%d: Open was successful after altering nonce", i)
+			}
+			nonce[alterNonceIdx] ^= 0x80
 
-		alterCtIdx := mr.Intn(len(ct))
-		ct[alterCtIdx] ^= 0x80
-		if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
-			t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
+			alterCtIdx := mr.Intn(len(ct))
+			ct[alterCtIdx] ^= 0x80
+			if _, err := aead.Open(nil, nonce[:], ct, ad); err == nil {
+				t.Errorf("Random #%d: Open was successful after altering ciphertext", i)
+			}
+			ct[alterCtIdx] ^= 0x80
 		}
-		ct[alterCtIdx] ^= 0x80
 	}
+	t.Run("Standard", func(t *testing.T) { f(t, NonceSize) })
+	t.Run("X", func(t *testing.T) { f(t, NonceSizeX) })
 }
 
-func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte) {
+func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
+	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))
 
 	var key [32]byte
-	var nonce [12]byte
+	var nonce = make([]byte, nonceSize)
 	var ad [13]byte
 	var out []byte
 
-	aead, _ := New(key[:])
+	var aead cipher.AEAD
+	switch len(nonce) {
+	case NonceSize:
+		aead, _ = New(key[:])
+	case NonceSizeX:
+		aead, _ = NewX(key[:])
+	}
+
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		out = aead.Seal(out[:0], nonce[:], buf[:], ad[:])
 	}
 }
 
-func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte) {
+func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
+	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))
 
 	var key [32]byte
-	var nonce [12]byte
+	var nonce = make([]byte, nonceSize)
 	var ad [13]byte
 	var ct []byte
 	var out []byte
 
-	aead, _ := New(key[:])
+	var aead cipher.AEAD
+	switch len(nonce) {
+	case NonceSize:
+		aead, _ = New(key[:])
+	case NonceSizeX:
+		aead, _ = NewX(key[:])
+	}
 	ct = aead.Seal(ct[:0], nonce[:], buf[:], ad[:])
 
 	b.ResetTimer()
@@ -157,26 +200,20 @@ func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte) {
 	}
 }
 
-func BenchmarkChacha20Poly1305Open_64(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 64))
-}
-
-func BenchmarkChacha20Poly1305Seal_64(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 64))
-}
-
-func BenchmarkChacha20Poly1305Open_1350(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 1350))
-}
-
-func BenchmarkChacha20Poly1305Seal_1350(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 1350))
-}
-
-func BenchmarkChacha20Poly1305Open_8K(b *testing.B) {
-	benchamarkChaCha20Poly1305Open(b, make([]byte, 8*1024))
-}
-
-func BenchmarkChacha20Poly1305Seal_8K(b *testing.B) {
-	benchamarkChaCha20Poly1305Seal(b, make([]byte, 8*1024))
+func BenchmarkChacha20Poly1305(b *testing.B) {
+	for _, length := range []int{64, 1350, 8 * 1024} {
+		b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) {
+			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
+		})
+		b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) {
+			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
+		})
+
+		b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
+			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
+		})
+		b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
+			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
+		})
+	}
 }
@@ -336,4 +336,27 @@ var chacha20Poly1305Tests = []struct {
 		"129039b5572e8a7a8131f76a",
 		"2c125232a59879aee36cacc4aca5085a4688c4f776667a8fbd86862b5cfb1d57c976688fdd652eafa2b88b1b8e358aa2110ff6ef13cdc1ceca9c9f087c35c38d89d6fbd8de89538070f17916ecb19ca3ef4a1c834f0bdaa1df62aaabef2e117106787056c909e61ecd208357dd5c363f11c5d6cf24992cc873cf69f59360a820fcf290bd90b2cab24c47286acb4e1033962b6d41e562a206a94796a8ab1c6b8bade804ff9bdf5ba6062d2c1f8fe0f4dfc05720bd9a612b92c26789f9f6a7ce43f5e8e3aee99a9cd7d6c11eaa611983c36935b0dda57d898a60a0ab7c4b54",
 	},
+
+	// XChaCha20-Poly1305 vectors
+	{
+		"000000000000000000000000000000",
+		"",
+		"0000000000000000000000000000000000000000000000000000000000000000",
+		"000000000000000000000000000000000000000000000000",
+		"789e9689e5208d7fd9e1f3c5b5341fb2f7033812ac9ebd3745e2c99c7bbfeb",
+	},
+	{
+		"02dc819b71875e49f5e1e5a768141cfd3f14307ae61a34d81decd9a3367c00c7",
+		"",
+		"b7bbfe61b8041658ddc95d5cbdc01bbe7626d24f3a043b70ddee87541234cff7",
+		"e293239d4c0a07840c5f83cb515be7fd59c333933027e99c",
+		"7a51f271bd2e547943c7be3316c05519a5d16803712289aa2369950b1504dd8267222e47b13280077ecada7b8795d535",
+	},
+	{
+		"7afc5f3f24155002e17dc176a8f1f3a097ff5a991b02ff4640f70b90db0c15c328b696d6998ea7988edfe3b960e47824e4ae002fbe589be57896a9b7bf5578599c6ba0153c7c",
+		"d499bb9758debe59a93783c61974b7",
+		"4ea8fab44a07f7ffc0329b2c2f8f994efdb6d505aec32113ae324def5d929ba1",
+		"404d5086271c58bf27b0352a205d21ce4367d7b6a7628961",
+		"26d2b46ad58b6988e2dcf1d09ba8ab6f532dc7e0847cdbc0ed00284225c02bbdb278ee8381ebd127a06926107d1b731cfb1521b267168926492e8f77219ad922257a5be2c5e52e6183ca4dfd0ad3912d7bd1ec968065",
+	},
 }