[crypto] x/crypto: Add the ChaCha20 stream cipher and the ChaCha20Poly1305 AEAD construction described in RFC 7539.
111 views
Skip to first unread message
Andreas Auernhammer (Gerrit)
Jul 20, 2016, 2:41:34 PM7/20/16
to Ian Lance Taylor, golang-co...@googlegroups.com
Andreas Auernhammer uploaded a change:
https://go-review.googlesource.com/25092
x/crypto: Add the ChaCha20 stream cipher and the ChaCha20Poly1305 AEAD
construction described in RFC 7539.
Therefore introduced a special poly1305.Hash struct to avoid memory
allocations (for the AEAD).
The chacha20 package is similar to the existing salsa20 package.
There is still room for performance improvements (AVX2...), but maybe it
can be used as
a template.
Change-Id: Icb7d3d36e33e25d3c9b7f7c84fdca93c9051f1af
---
M chacha20/chacha/chacha.go
M chacha20/chacha/chacha_amd64.go
M chacha20/chacha/chacha_amd64.s
M chacha20/chacha/chacha_ref.go
M chacha20/chacha/chacha_test.go
M chacha20/chacha20.go
M chacha20/chachaPoly1305.go
M chacha20/chachaPoly1305_test.go
8 files changed, 177 insertions(+), 230 deletions(-)
diff --git a/chacha20/chacha/chacha.go b/chacha20/chacha/chacha.go
index 8cef3dd..3e109a1 100644
--- a/chacha20/chacha/chacha.go
+++ b/chacha20/chacha/chacha.go
@@ -31,3 +31,34 @@
c.state[51] = byte(ctr >> 24)
c.off = 0
}
+
+// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
+// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
+func (c *Cipher) XORKeyStream(dst, src []byte) {
+ length := len(src)
+ if len(dst) < length {
+ panic("chacha20/chacha: dst buffer is to small")
+ }
+
+ if c.off > 0 {
+ n := xor(dst, src, c.block[c.off:])
+ if n == length {
+ c.off += n
+ return
+ }
+ src = src[n:]
+ dst = dst[n:]
+ length -= n
+ c.off = 0
+ }
+
+ if length >= 64 {
+ xorBlocks(dst, src, &(c.state), c.rounds)
+ }
+
+ if n := length & (^(64 - 1)); length-n > 0 {
+ Core(&(c.block), &(c.state), c.rounds)
+
+ c.off += xor(dst[n:], src[n:], c.block[:])
+ }
+}
diff --git a/chacha20/chacha/chacha_amd64.go
b/chacha20/chacha/chacha_amd64.go
index 1d6c2ae..676ae47 100644
--- a/chacha20/chacha/chacha_amd64.go
+++ b/chacha20/chacha/chacha_amd64.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// +build amd64,!gccgo,!appengine
+// +build amd64, !gccgo, !appengine
package chacha
@@ -40,7 +40,7 @@
statePtr[7] = *(*uint64)(unsafe.Pointer(&nonce[4]))
if length >= 64 {
- XORBlocks(dst, src, &state, rounds)
+ xorBlocks(dst, src, &state, rounds)
}
if n := length & (^(64 - 1)); length-n > 0 {
@@ -77,42 +77,12 @@
return c
}
-// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
-// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
-func (c *Cipher) XORKeyStream(dst, src []byte) {
- length := len(src)
- if len(dst) < length {
- panic("chacha20/chacha: dst buffer is to small")
- }
-
- if c.off > 0 {
- n := xor(dst, src, c.block[c.off:])
- if n == length {
- c.off += n
- return
- }
- src = src[n:]
- dst = dst[n:]
- length -= n
- c.off = 0
- }
-
- if length >= 64 {
- XORBlocks(dst, src, &(c.state), c.rounds)
- }
-
- if n := length & (^(64 - 1)); length-n > 0 {
- Core(&(c.block), &(c.state), c.rounds)
-
- c.off += xor(dst[n:], src[n:], c.block[:])
- }
-}
-
-// XORBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
+// xorBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
// dst using the state. Src and dst may be the same slice but otherwise
should not
// overlap. This function increments the counter of state.
// If len(src) > len(dst), XORBlocks does nothing.
-func XORBlocks(dst, src []byte, state *[64]byte, rounds int)
+//go:noescape
+func xorBlocks(dst, src []byte, state *[64]byte, rounds int)
// Core generates 64 byte keystream from the given state
performing 'rounds' rounds
// and writes them to dst. This function expects valid values. (no nil ptr
etc.)
diff --git a/chacha20/chacha/chacha_amd64.s b/chacha20/chacha/chacha_amd64.s
index 0d71073..033c294 100644
--- a/chacha20/chacha/chacha_amd64.s
+++ b/chacha20/chacha/chacha_amd64.s
@@ -75,53 +75,53 @@
PSHUFL $57, v7, v7
#define HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,
v12, v13, v14, v15, t0) \
- PADDL v1, v0; \
+ PADDL v1, v0; \
PADDL v5, v4; \
- PADDL v9, v8; \
- PADDL v13, v12; \
- PXOR v0, v3; \
- PXOR v4, v7; \
- PXOR v8, v11; \
- PXOR v12, v15; \
- MOVO v12, t0; \
+ PADDL v9, v8; \
+ PADDL v13, v12; \
+ PXOR v0, v3; \
+ PXOR v4, v7; \
+ PXOR v8, v11; \
+ PXOR v12, v15; \
+ MOVO v12, t0; \
ROTL32(16, v3, v12); \
ROTL32(16, v7, v12); \
ROTL32(16, v11, v12); \
ROTL32(16, v15, v12); \
- PADDL v3, v2; \
- PADDL v7, v6; \
- PADDL v11, v10; \
- PADDL v15, v14; \
- PXOR v2, v1; \
- PXOR v6, v5; \
- PXOR v10, v9; \
- PXOR v14, v13; \
+ PADDL v3, v2; \
+ PADDL v7, v6; \
+ PADDL v11, v10; \
+ PADDL v15, v14; \
+ PXOR v2, v1; \
+ PXOR v6, v5; \
+ PXOR v10, v9; \
+ PXOR v14, v13; \
ROTL32(12, v1, v12); \
ROTL32(12, v5, v12); \
ROTL32(12, v9, v12); \
ROTL32(12, v13, v12); \
- MOVO t0, v12; \
- PADDL v1, v0; \
- PADDL v5, v4; \
- PADDL v9, v8; \
- PADDL v13, v12; \
- PXOR v0, v3; \
- PXOR v4, v7; \
- PXOR v8, v11; \
- PXOR v12, v15; \
- MOVO v12, 16(SP); \
+ MOVO t0, v12; \
+ PADDL v1, v0; \
+ PADDL v5, v4; \
+ PADDL v9, v8; \
+ PADDL v13, v12; \
+ PXOR v0, v3; \
+ PXOR v4, v7; \
+ PXOR v8, v11; \
+ PXOR v12, v15; \
+ MOVO v12, 16(SP); \
ROTL32(8, v3, v12); \
ROTL32(8, v7, v12); \
ROTL32(8, v11, v12); \
ROTL32(8, v15, v12); \
- PADDL v3, v2; \
- PADDL v7, v6; \
- PADDL v11, v10; \
- PADDL v15, v14; \
- PXOR v2, v1; \
- PXOR v6, v5; \
- PXOR v10, v9; \
- PXOR v14, v13; \
+ PADDL v3, v2; \
+ PADDL v7, v6; \
+ PADDL v11, v10; \
+ PADDL v15, v14; \
+ PXOR v2, v1; \
+ PXOR v6, v5; \
+ PXOR v10, v9; \
+ PXOR v14, v13; \
ROTL32(7, v1, v12); \
ROTL32(7, v5, v12); \
ROTL32(7, v9, v12); \
@@ -129,32 +129,32 @@
#define ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0) \
HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0); \
- PSHUFL $57, v1, v1; \
- PSHUFL $57, v5, v5; \
- PSHUFL $57, v9, v9; \
- PSHUFL $57, v13, v13; \
- PSHUFL $78, v2, v2; \
- PSHUFL $78, v6, v6; \
- PSHUFL $78, v10, v10; \
- PSHUFL $78, v14, v14; \
- PSHUFL $147, v3, v3; \
- PSHUFL $147, v7, v7; \
- PSHUFL $147, v11, v11; \
- PSHUFL $147, v15, v15; \
- MOVO t0, v12; \
+ PSHUFL $57, v1, v1; \
+ PSHUFL $57, v5, v5; \
+ PSHUFL $57, v9, v9; \
+ PSHUFL $57, v13, v13; \
+ PSHUFL $78, v2, v2; \
+ PSHUFL $78, v6, v6; \
+ PSHUFL $78, v10, v10; \
+ PSHUFL $78, v14, v14; \
+ PSHUFL $147, v3, v3; \
+ PSHUFL $147, v7, v7; \
+ PSHUFL $147, v11, v11; \
+ PSHUFL $147, v15, v15; \
+ MOVO t0, v12; \
HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0); \
- PSHUFL $147, v1, v1; \
- PSHUFL $147, v5, v5; \
- PSHUFL $147, v9, v9; \
- PSHUFL $147, v13, v13; \
- PSHUFL $78, v2, v2; \
- PSHUFL $78, v6, v6; \
- PSHUFL $78, v10, v10; \
- PSHUFL $78, v14, v14; \
- PSHUFL $57, v3, v3; \
- PSHUFL $57, v7, v7; \
- PSHUFL $57, v11, v11; \
- PSHUFL $57, v15, v15; \
+ PSHUFL $147, v1, v1; \
+ PSHUFL $147, v5, v5; \
+ PSHUFL $147, v9, v9; \
+ PSHUFL $147, v13, v13; \
+ PSHUFL $78, v2, v2; \
+ PSHUFL $78, v6, v6; \
+ PSHUFL $78, v10, v10; \
+ PSHUFL $78, v14, v14; \
+ PSHUFL $57, v3, v3; \
+ PSHUFL $57, v7, v7; \
+ PSHUFL $57, v11, v11; \
+ PSHUFL $57, v15, v15; \
MOVO t0, v12
#define XOR_64B(dst, src, off, v0 , v1 , v2 , v3 , t0) \
@@ -201,13 +201,14 @@
MOVL DI, 48(AX)
RET
-TEXT ·XORBlocks(SB),4,$0-64
+// func xorBlocks(dst, src []byte, state *[64]byte, rounds int)
+TEXT ·xorBlocks(SB),4,$0-64
MOVQ state+48(FP), AX
- MOVQ dst+0(FP), BX
- MOVQ src+24(FP), CX
- MOVQ src+32(FP), DX
+ MOVQ dst_base+0(FP), BX
+ MOVQ src_base+24(FP), CX
+ MOVQ src_len+32(FP), DX
MOVQ rounds+56(FP), DI
- CMPQ dst+8(FP), DX
+ CMPQ dst_len+8(FP), DX
JB DONE
MOVQ SP, SI
@@ -273,7 +274,7 @@
PADDL 16(AX), X13
PADDL 32(AX), X14
PADDL X3, X15
- XOR_64B(BX, CX, 192, X12, X13, X14, X15, X0)
+ XOR_64B(BX, CX, 192, X12, X13, X14, X15, X0)
PADDQ 0(SP), X3
MOVO X3, 48(AX)
ADDQ $256, CX
@@ -341,7 +342,7 @@
PADDL X1, X5
PADDL X2, X6
PADDL X3, X7
- XOR_64B(BX, CX, 0, X4, X5, X6, X7, X8)
+ XOR_64B(BX, CX, 0, X4, X5, X6, X7, X8)
PADDQ X15, X3
MOVO X3, 48(AX)
DONE:
diff --git a/chacha20/chacha/chacha_ref.go b/chacha20/chacha/chacha_ref.go
index e9bc735..c2758b6 100644
--- a/chacha20/chacha/chacha_ref.go
+++ b/chacha20/chacha/chacha_ref.go
@@ -33,7 +33,7 @@
copy(state[52:], nonce[:])
if length >= 64 {
- XORBlocks(dst, src, &state, rounds)
+ xorBlocks(dst, src, &state, rounds)
}
if n := length & (^(64 - 1)); length-n > 0 {
@@ -62,42 +62,11 @@
return c
}
-// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
-// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
-func (c *Cipher) XORKeyStream(dst, src []byte) {
- length := len(src)
- if len(dst) < length {
- panic("chacha20/chacha: dst buffer is to small")
- }
-
- if c.off > 0 {
- n := xor(dst, src, c.block[c.off:])
- if n == length {
- c.off += n
- return
- }
- src = src[n:]
- dst = dst[n:]
- length -= n
- c.off = 0
- }
-
- if length >= 64 {
- XORBlocks(dst, src, &(c.state), c.rounds)
- }
-
- if n := length & (^(64 - 1)); length-n > 0 {
- Core(&(c.block), &(c.state), c.rounds)
-
- c.off += xor(dst[n:], src[n:], c.block[:])
- }
-}
-
-// XORBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
+// xorBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
// dst using the state. Src and dst may be the same slice
// but otherwise should not overlap. If len(dst) < len(src) the behavior
is undefined.
// This function increments the counter of state.
-func XORBlocks(dst, src []byte, state *[64]byte, rounds int) {
+func xorBlocks(dst, src []byte, state *[64]byte, rounds int) {
n := len(src) & (^(64 - 1))
var block [64]byte
diff --git a/chacha20/chacha/chacha_test.go b/chacha20/chacha/chacha_test.go
index c3370db..0baf582 100644
--- a/chacha20/chacha/chacha_test.go
+++ b/chacha20/chacha/chacha_test.go
@@ -97,5 +97,4 @@
}
mustFail2(t, "len(dst) < len(src)", dst[:len(src)-1], src)
-
}
diff --git a/chacha20/chacha20.go b/chacha20/chacha20.go
index 4da18f6..db3b224 100644
--- a/chacha20/chacha20.go
+++ b/chacha20/chacha20.go
@@ -21,7 +21,7 @@
"golang.org/x/crypto/chacha20/chacha"
)
-// The size of the ChaCha20 nonce in bytes.
+// NonceSize is the size of the ChaCha20 nonce in bytes.
const NonceSize = 12
// XORKeyStream crypts bytes from src to dst using the given key, nonce
and counter. Src
diff --git a/chacha20/chachaPoly1305.go b/chacha20/chachaPoly1305.go
index c0c3db9..35f1dcb 100644
--- a/chacha20/chachaPoly1305.go
+++ b/chacha20/chachaPoly1305.go
@@ -8,26 +8,18 @@
"crypto/cipher"
"crypto/subtle"
"errors"
- "strconv"
"golang.org/x/crypto/chacha20/chacha"
"golang.org/x/crypto/poly1305"
)
-// The max. size of the auth. tag for the ChaCha20Poly1305 AEAD cipher in
bytes.
+// TagSize is the max. size of the auth. tag for the ChaCha20Poly1305 AEAD
in bytes.
const TagSize = poly1305.TagSize
-type nonceSizeError int
-
-func (n nonceSizeError) Error() string {
- return "invalid nonce size " + strconv.Itoa(int(n))
-}
-
-type authenticationError struct{}
-
-func (a authenticationError) Error() string {
- return "authentication failed"
-}
+var (
+ errAuthFailed = errors.New("authentication failed")
+ errInvalidNonceSize = errors.New("nonce size is invalid")
+)
// NewChaCha20Poly1305 returns a cipher.AEAD implementing the
// ChaCha20Poly1305 construction specified in RFC 7539 with a
@@ -50,7 +42,7 @@
return c, nil
}
-// The AEAD cipher ChaCha20-Poly1305
+// The AEAD cipher ChaCha20Poly1305
type aead struct {
key [32]byte
tagsize int
@@ -62,59 +54,56 @@
func (c *aead) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if n := len(nonce); n != NonceSize {
- panic("chacha20: invalid nonce size " + strconv.Itoa(n))
+ panic("chacha20: " + errInvalidNonceSize.Error())
}
- if len(dst) < len(plaintext)+c.tagsize {
- panic("chacha20: dst buffer to small")
- }
- var Nonce [12]byte
- copy(Nonce[:], nonce)
// create the poly1305 key
+ var Nonce [12]byte
+ copy(Nonce[:], nonce)
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// encrypt the plaintext
n := len(plaintext)
- chacha.XORKeyStream(dst, plaintext, &Nonce, &(c.key), 1, 20)
+ ret, ciphertext := sliceForAppend(dst, n+c.tagsize)
+ chacha.XORKeyStream(ciphertext, plaintext, &Nonce, &(c.key), 1, 20)
// authenticate the ciphertext
var tag [poly1305.TagSize]byte
- authenticate(&tag, dst[:n], additionalData, &polyKey)
- return append(dst[:n], tag[:c.tagsize]...)
+ authenticate(&tag, ciphertext[:n], additionalData, &polyKey)
+ copy(ciphertext[n:], tag[:c.tagsize])
+
+ return ret
}
func (c *aead) Open(dst, nonce, ciphertext, additionalData []byte)
([]byte, error) {
if n := len(nonce); n != NonceSize {
- return nil, nonceSizeError(n)
+ return nil, errInvalidNonceSize
}
if len(ciphertext) < c.tagsize {
- return nil, authenticationError{}
+ return nil, errAuthFailed
}
- if len(dst) < len(ciphertext)-c.tagsize {
- panic("chacha20: dst buffer to small")
- }
- var Nonce [12]byte
-
- copy(Nonce[:], nonce)
-
- hash := ciphertext[len(ciphertext)-c.tagsize:]
- ciphertext = ciphertext[:len(ciphertext)-c.tagsize]
// create the poly1305 key
+ var Nonce [12]byte
+ copy(Nonce[:], nonce)
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// authenticate the ciphertext
+ n := len(ciphertext) - c.tagsize
var tag [poly1305.TagSize]byte
- authenticate(&tag, ciphertext, additionalData, &polyKey)
- if subtle.ConstantTimeCompare(tag[:c.tagsize], hash[:c.tagsize]) != 1 {
- return nil, authenticationError{}
+ authenticate(&tag, ciphertext[:n], additionalData, &polyKey)
+ sum := ciphertext[n:]
+ if subtle.ConstantTimeCompare(tag[:c.tagsize], sum[:c.tagsize]) != 1 {
+ return nil, errAuthFailed
}
// decrypt ciphertext
- chacha.XORKeyStream(dst, ciphertext, &Nonce, &(c.key), 1, 20)
- return dst[:len(ciphertext)], nil
+ ret, plaintext := sliceForAppend(dst, n)
+ chacha.XORKeyStream(plaintext, ciphertext[:n], &Nonce, &(c.key), 1, 20)
+
+ return ret, nil
}
// authenticate calculates the poly1305 tag from
@@ -122,7 +111,7 @@
func authenticate(out *[TagSize]byte, ciphertext, additionalData []byte,
key *[32]byte) {
ctLen := uint64(len(ciphertext))
adLen := uint64(len(additionalData))
- padAD, padCT := adLen%16, ctLen%16
+ padAD, padCT := adLen%TagSize, ctLen%TagSize
var buf [16]byte
buf[0] = byte(adLen)
@@ -154,3 +143,18 @@
poly.Write(buf[:])
poly.Sum(out)
}
+
+// sliceForAppend takes a slice and a requested number of bytes. It
returns a
+// slice with the contents of the given slice followed by that many bytes
and a
+// second slice that aliases into it and contains only the extra bytes. If
the
+// original slice has sufficient capacity then no allocation is performed.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+ if total := len(in) + n; cap(in) >= total {
+ head = in[:total]
+ } else {
+ head = make([]byte, total)
+ copy(head, in)
+ }
+ tail = head[len(in):]
+ return
+}
diff --git a/chacha20/chachaPoly1305_test.go
b/chacha20/chachaPoly1305_test.go
index 4e040e5..d1b554a 100644
--- a/chacha20/chachaPoly1305_test.go
+++ b/chacha20/chachaPoly1305_test.go
@@ -75,13 +75,13 @@
}
buf := make([]byte, len(ciphertext))
- c.Seal(buf, nonce, msg, data)
+ c.Seal(buf[:0], nonce, msg, data)
if !bytes.Equal(buf, ciphertext) {
t.Fatalf("TestVector %d Seal failed:\nFound : %s\nExpected: %s", i,
hex.EncodeToString(buf), hex.EncodeToString(ciphertext))
}
- buf, err = c.Open(buf, nonce, buf, data)
+ buf, err = c.Open(buf[:0], nonce, buf, data)
if err != nil {
t.Fatalf("TestVector %d: Open failed - Cause: %s", i, err)
@@ -148,12 +148,10 @@
mustFail := func(msg string, dst, nonce, src []byte) {
defer recFunc(t, msg)
- c.Seal(dst, nonce, src, nil)
+ c.Seal(dst[:0], nonce, src, nil)
}
mustFail("nonce size is invalid", dst[:], nonce[:NonceSize-1], src[:])
-
- mustFail("dst length invalid", dst[:len(dst)-2], nonce[:], src[:])
}
func TestOpen(t *testing.T) {
@@ -176,16 +174,19 @@
t.Fatal("Open() accepted invalid ciphertext length")
}
- mustFail := func(msg string, dst, nonce, src []byte) {
- defer recFunc(t, msg)
- c.Open(dst, nonce, src, nil)
+ _, err = c.Open(dst[:], nonce[:], src[:TagSize-1], nil)
+ if err == nil {
+ t.Fatal("Open() accepted invalid ciphertext length")
}
- mustFail("dst length invalid", dst[:len(src)-TagSize-1], nonce[:], src[:])
+ _, err = c.Open(dst[:len(src)-TagSize-1], nonce[:], src[:], nil)
+ if err == nil {
+ t.Fatal("Open() accepted invalid dst length")
+ }
// Check tag verification
c.Seal(dst[:], nonce[:], src[:], nil)
- dst[len(src)+1] += 1 // modify tag
+ dst[len(src)+1]++ // modify tag
_, err = c.Open(src[:], nonce[:], dst[:], nil)
if err == nil {
@@ -195,70 +196,42 @@
// Benchmarks
-func BenchmarkSeal64B(b *testing.B) {
+func benchmarkSeal(b *testing.B, size int) {
var key [32]byte
var nonce [12]byte
c := NewChaCha20Poly1305(&key)
- msg := make([]byte, 64)
+ msg := make([]byte, size)
dst := make([]byte, len(msg)+TagSize)
data := make([]byte, 32)
- b.SetBytes(int64(len(msg)))
+ b.SetBytes(int64(size))
b.ResetTimer()
for i := 0; i < b.N; i++ {
- dst = c.Seal(dst, nonce[:], msg, data)
+ dst = c.Seal(dst[:0], nonce[:], msg, data)
}
}
-func BenchmarkSeal16K(b *testing.B) {
+func benchmarkOpen(b *testing.B, size int) {
var key [32]byte
var nonce [12]byte
c := NewChaCha20Poly1305(&key)
- msg := make([]byte, 16*1024)
- dst := make([]byte, len(msg)+TagSize)
+ msg := make([]byte, size)
+ dst := make([]byte, size)
+ ciphertext := make([]byte, size+TagSize)
data := make([]byte, 32)
+ ciphertext = c.Seal(ciphertext[:0], nonce[:], msg, data)
- b.SetBytes(int64(len(msg)))
+ b.SetBytes(int64(size))
b.ResetTimer()
for i := 0; i < b.N; i++ {
- dst = c.Seal(dst, nonce[:], msg, data)
+ dst, _ = c.Open(dst[:0], nonce[:], ciphertext, data)
}
}
-func BenchmarkOpen64B(b *testing.B) {
- var key [32]byte
- var nonce [12]byte
- c := NewChaCha20Poly1305(&key)
+func BenchmarkSeal64B(b *testing.B) { benchmarkSeal(b, 64) }
+func BenchmarkSeal16K(b *testing.B) { benchmarkSeal(b, 16*1024) }
- msg := make([]byte, 64)
- dst := make([]byte, len(msg))
- ciphertext := make([]byte, len(msg)+TagSize)
- data := make([]byte, 32)
- ciphertext = c.Seal(ciphertext, nonce[:], msg, data)
-
- b.SetBytes(int64(len(msg)))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- dst, _ = c.Open(dst, nonce[:], ciphertext, data)
- }
-}
-
-func BenchmarkOpen16K(b *testing.B) {
- var key [32]byte
- var nonce [12]byte
- c := NewChaCha20Poly1305(&key)
-
- msg := make([]byte, 16*1024)
- dst := make([]byte, len(msg))
- ciphertext := make([]byte, len(msg)+TagSize)
- data := make([]byte, 32)
- ciphertext = c.Seal(ciphertext, nonce[:], msg, data)
-
- b.SetBytes(int64(len(msg)))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- dst, _ = c.Open(dst, nonce[:], ciphertext, data)
- }
-}
+func BenchmarkOpen64B(b *testing.B) { benchmarkOpen(b, 64) }
+func BenchmarkOpen16K(b *testing.B) { benchmarkOpen(b, 16*1024) }
--
https://go-review.googlesource.com/25092
https://go-review.googlesource.com/25092
x/crypto: Add the ChaCha20 stream cipher and the ChaCha20Poly1305 AEAD
construction described in RFC 7539.
Therefore introduced a special poly1305.Hash struct to avoid memory
allocations (for the AEAD).
The chacha20 package is similar to the existing salsa20 package.
There is still room for performance improvements (AVX2...), but maybe it
can be used as
a template.
Change-Id: Icb7d3d36e33e25d3c9b7f7c84fdca93c9051f1af
---
M chacha20/chacha/chacha.go
M chacha20/chacha/chacha_amd64.go
M chacha20/chacha/chacha_amd64.s
M chacha20/chacha/chacha_ref.go
M chacha20/chacha/chacha_test.go
M chacha20/chacha20.go
M chacha20/chachaPoly1305.go
M chacha20/chachaPoly1305_test.go
8 files changed, 177 insertions(+), 230 deletions(-)
diff --git a/chacha20/chacha/chacha.go b/chacha20/chacha/chacha.go
index 8cef3dd..3e109a1 100644
--- a/chacha20/chacha/chacha.go
+++ b/chacha20/chacha/chacha.go
@@ -31,3 +31,34 @@
c.state[51] = byte(ctr >> 24)
c.off = 0
}
+
+// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
+// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
+func (c *Cipher) XORKeyStream(dst, src []byte) {
+ length := len(src)
+ if len(dst) < length {
+ panic("chacha20/chacha: dst buffer is to small")
+ }
+
+ if c.off > 0 {
+ n := xor(dst, src, c.block[c.off:])
+ if n == length {
+ c.off += n
+ return
+ }
+ src = src[n:]
+ dst = dst[n:]
+ length -= n
+ c.off = 0
+ }
+
+ if length >= 64 {
+ xorBlocks(dst, src, &(c.state), c.rounds)
+ }
+
+ if n := length & (^(64 - 1)); length-n > 0 {
+ Core(&(c.block), &(c.state), c.rounds)
+
+ c.off += xor(dst[n:], src[n:], c.block[:])
+ }
+}
diff --git a/chacha20/chacha/chacha_amd64.go
b/chacha20/chacha/chacha_amd64.go
index 1d6c2ae..676ae47 100644
--- a/chacha20/chacha/chacha_amd64.go
+++ b/chacha20/chacha/chacha_amd64.go
@@ -2,7 +2,7 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// +build amd64,!gccgo,!appengine
+// +build amd64, !gccgo, !appengine
package chacha
@@ -40,7 +40,7 @@
statePtr[7] = *(*uint64)(unsafe.Pointer(&nonce[4]))
if length >= 64 {
- XORBlocks(dst, src, &state, rounds)
+ xorBlocks(dst, src, &state, rounds)
}
if n := length & (^(64 - 1)); length-n > 0 {
@@ -77,42 +77,12 @@
return c
}
-// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
-// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
-func (c *Cipher) XORKeyStream(dst, src []byte) {
- length := len(src)
- if len(dst) < length {
- panic("chacha20/chacha: dst buffer is to small")
- }
-
- if c.off > 0 {
- n := xor(dst, src, c.block[c.off:])
- if n == length {
- c.off += n
- return
- }
- src = src[n:]
- dst = dst[n:]
- length -= n
- c.off = 0
- }
-
- if length >= 64 {
- XORBlocks(dst, src, &(c.state), c.rounds)
- }
-
- if n := length & (^(64 - 1)); length-n > 0 {
- Core(&(c.block), &(c.state), c.rounds)
-
- c.off += xor(dst[n:], src[n:], c.block[:])
- }
-}
-
-// XORBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
+// xorBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
// dst using the state. Src and dst may be the same slice but otherwise
should not
// overlap. This function increments the counter of state.
// If len(src) > len(dst), XORBlocks does nothing.
-func XORBlocks(dst, src []byte, state *[64]byte, rounds int)
+//go:noescape
+func xorBlocks(dst, src []byte, state *[64]byte, rounds int)
// Core generates 64 byte keystream from the given state
performing 'rounds' rounds
// and writes them to dst. This function expects valid values. (no nil ptr
etc.)
diff --git a/chacha20/chacha/chacha_amd64.s b/chacha20/chacha/chacha_amd64.s
index 0d71073..033c294 100644
--- a/chacha20/chacha/chacha_amd64.s
+++ b/chacha20/chacha/chacha_amd64.s
@@ -75,53 +75,53 @@
PSHUFL $57, v7, v7
#define HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11,
v12, v13, v14, v15, t0) \
- PADDL v1, v0; \
+ PADDL v1, v0; \
PADDL v5, v4; \
- PADDL v9, v8; \
- PADDL v13, v12; \
- PXOR v0, v3; \
- PXOR v4, v7; \
- PXOR v8, v11; \
- PXOR v12, v15; \
- MOVO v12, t0; \
+ PADDL v9, v8; \
+ PADDL v13, v12; \
+ PXOR v0, v3; \
+ PXOR v4, v7; \
+ PXOR v8, v11; \
+ PXOR v12, v15; \
+ MOVO v12, t0; \
ROTL32(16, v3, v12); \
ROTL32(16, v7, v12); \
ROTL32(16, v11, v12); \
ROTL32(16, v15, v12); \
- PADDL v3, v2; \
- PADDL v7, v6; \
- PADDL v11, v10; \
- PADDL v15, v14; \
- PXOR v2, v1; \
- PXOR v6, v5; \
- PXOR v10, v9; \
- PXOR v14, v13; \
+ PADDL v3, v2; \
+ PADDL v7, v6; \
+ PADDL v11, v10; \
+ PADDL v15, v14; \
+ PXOR v2, v1; \
+ PXOR v6, v5; \
+ PXOR v10, v9; \
+ PXOR v14, v13; \
ROTL32(12, v1, v12); \
ROTL32(12, v5, v12); \
ROTL32(12, v9, v12); \
ROTL32(12, v13, v12); \
- MOVO t0, v12; \
- PADDL v1, v0; \
- PADDL v5, v4; \
- PADDL v9, v8; \
- PADDL v13, v12; \
- PXOR v0, v3; \
- PXOR v4, v7; \
- PXOR v8, v11; \
- PXOR v12, v15; \
- MOVO v12, 16(SP); \
+ MOVO t0, v12; \
+ PADDL v1, v0; \
+ PADDL v5, v4; \
+ PADDL v9, v8; \
+ PADDL v13, v12; \
+ PXOR v0, v3; \
+ PXOR v4, v7; \
+ PXOR v8, v11; \
+ PXOR v12, v15; \
+ MOVO v12, 16(SP); \
ROTL32(8, v3, v12); \
ROTL32(8, v7, v12); \
ROTL32(8, v11, v12); \
ROTL32(8, v15, v12); \
- PADDL v3, v2; \
- PADDL v7, v6; \
- PADDL v11, v10; \
- PADDL v15, v14; \
- PXOR v2, v1; \
- PXOR v6, v5; \
- PXOR v10, v9; \
- PXOR v14, v13; \
+ PADDL v3, v2; \
+ PADDL v7, v6; \
+ PADDL v11, v10; \
+ PADDL v15, v14; \
+ PXOR v2, v1; \
+ PXOR v6, v5; \
+ PXOR v10, v9; \
+ PXOR v14, v13; \
ROTL32(7, v1, v12); \
ROTL32(7, v5, v12); \
ROTL32(7, v9, v12); \
@@ -129,32 +129,32 @@
#define ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0) \
HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0); \
- PSHUFL $57, v1, v1; \
- PSHUFL $57, v5, v5; \
- PSHUFL $57, v9, v9; \
- PSHUFL $57, v13, v13; \
- PSHUFL $78, v2, v2; \
- PSHUFL $78, v6, v6; \
- PSHUFL $78, v10, v10; \
- PSHUFL $78, v14, v14; \
- PSHUFL $147, v3, v3; \
- PSHUFL $147, v7, v7; \
- PSHUFL $147, v11, v11; \
- PSHUFL $147, v15, v15; \
- MOVO t0, v12; \
+ PSHUFL $57, v1, v1; \
+ PSHUFL $57, v5, v5; \
+ PSHUFL $57, v9, v9; \
+ PSHUFL $57, v13, v13; \
+ PSHUFL $78, v2, v2; \
+ PSHUFL $78, v6, v6; \
+ PSHUFL $78, v10, v10; \
+ PSHUFL $78, v14, v14; \
+ PSHUFL $147, v3, v3; \
+ PSHUFL $147, v7, v7; \
+ PSHUFL $147, v11, v11; \
+ PSHUFL $147, v15, v15; \
+ MOVO t0, v12; \
HALF_ROUND_256B(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12,
v13, v14, v15, t0); \
- PSHUFL $147, v1, v1; \
- PSHUFL $147, v5, v5; \
- PSHUFL $147, v9, v9; \
- PSHUFL $147, v13, v13; \
- PSHUFL $78, v2, v2; \
- PSHUFL $78, v6, v6; \
- PSHUFL $78, v10, v10; \
- PSHUFL $78, v14, v14; \
- PSHUFL $57, v3, v3; \
- PSHUFL $57, v7, v7; \
- PSHUFL $57, v11, v11; \
- PSHUFL $57, v15, v15; \
+ PSHUFL $147, v1, v1; \
+ PSHUFL $147, v5, v5; \
+ PSHUFL $147, v9, v9; \
+ PSHUFL $147, v13, v13; \
+ PSHUFL $78, v2, v2; \
+ PSHUFL $78, v6, v6; \
+ PSHUFL $78, v10, v10; \
+ PSHUFL $78, v14, v14; \
+ PSHUFL $57, v3, v3; \
+ PSHUFL $57, v7, v7; \
+ PSHUFL $57, v11, v11; \
+ PSHUFL $57, v15, v15; \
MOVO t0, v12
#define XOR_64B(dst, src, off, v0 , v1 , v2 , v3 , t0) \
@@ -201,13 +201,14 @@
MOVL DI, 48(AX)
RET
-TEXT ·XORBlocks(SB),4,$0-64
+// func xorBlocks(dst, src []byte, state *[64]byte, rounds int)
+TEXT ·xorBlocks(SB),4,$0-64
MOVQ state+48(FP), AX
- MOVQ dst+0(FP), BX
- MOVQ src+24(FP), CX
- MOVQ src+32(FP), DX
+ MOVQ dst_base+0(FP), BX
+ MOVQ src_base+24(FP), CX
+ MOVQ src_len+32(FP), DX
MOVQ rounds+56(FP), DI
- CMPQ dst+8(FP), DX
+ CMPQ dst_len+8(FP), DX
JB DONE
MOVQ SP, SI
@@ -273,7 +274,7 @@
PADDL 16(AX), X13
PADDL 32(AX), X14
PADDL X3, X15
- XOR_64B(BX, CX, 192, X12, X13, X14, X15, X0)
+ XOR_64B(BX, CX, 192, X12, X13, X14, X15, X0)
PADDQ 0(SP), X3
MOVO X3, 48(AX)
ADDQ $256, CX
@@ -341,7 +342,7 @@
PADDL X1, X5
PADDL X2, X6
PADDL X3, X7
- XOR_64B(BX, CX, 0, X4, X5, X6, X7, X8)
+ XOR_64B(BX, CX, 0, X4, X5, X6, X7, X8)
PADDQ X15, X3
MOVO X3, 48(AX)
DONE:
diff --git a/chacha20/chacha/chacha_ref.go b/chacha20/chacha/chacha_ref.go
index e9bc735..c2758b6 100644
--- a/chacha20/chacha/chacha_ref.go
+++ b/chacha20/chacha/chacha_ref.go
@@ -33,7 +33,7 @@
copy(state[52:], nonce[:])
if length >= 64 {
- XORBlocks(dst, src, &state, rounds)
+ xorBlocks(dst, src, &state, rounds)
}
if n := length & (^(64 - 1)); length-n > 0 {
@@ -62,42 +62,11 @@
return c
}
-// XORKeyStream crypts bytes from src to dst. Src and dst may be the same
slice
-// but otherwise should not overlap. If len(dst) < len(src) the function
panics.
-func (c *Cipher) XORKeyStream(dst, src []byte) {
- length := len(src)
- if len(dst) < length {
- panic("chacha20/chacha: dst buffer is to small")
- }
-
- if c.off > 0 {
- n := xor(dst, src, c.block[c.off:])
- if n == length {
- c.off += n
- return
- }
- src = src[n:]
- dst = dst[n:]
- length -= n
- c.off = 0
- }
-
- if length >= 64 {
- XORBlocks(dst, src, &(c.state), c.rounds)
- }
-
- if n := length & (^(64 - 1)); length-n > 0 {
- Core(&(c.block), &(c.state), c.rounds)
-
- c.off += xor(dst[n:], src[n:], c.block[:])
- }
-}
-
-// XORBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
+// xorBlocks crypts full block ( len(src) - (len(src) mod 64) bytes ) from
src to
// dst using the state. Src and dst may be the same slice
// but otherwise should not overlap. If len(dst) < len(src) the behavior
is undefined.
// This function increments the counter of state.
-func XORBlocks(dst, src []byte, state *[64]byte, rounds int) {
+func xorBlocks(dst, src []byte, state *[64]byte, rounds int) {
n := len(src) & (^(64 - 1))
var block [64]byte
diff --git a/chacha20/chacha/chacha_test.go b/chacha20/chacha/chacha_test.go
index c3370db..0baf582 100644
--- a/chacha20/chacha/chacha_test.go
+++ b/chacha20/chacha/chacha_test.go
@@ -97,5 +97,4 @@
}
mustFail2(t, "len(dst) < len(src)", dst[:len(src)-1], src)
-
}
diff --git a/chacha20/chacha20.go b/chacha20/chacha20.go
index 4da18f6..db3b224 100644
--- a/chacha20/chacha20.go
+++ b/chacha20/chacha20.go
@@ -21,7 +21,7 @@
"golang.org/x/crypto/chacha20/chacha"
)
-// The size of the ChaCha20 nonce in bytes.
+// NonceSize is the size of the ChaCha20 nonce in bytes.
const NonceSize = 12
// XORKeyStream crypts bytes from src to dst using the given key, nonce
and counter. Src
diff --git a/chacha20/chachaPoly1305.go b/chacha20/chachaPoly1305.go
index c0c3db9..35f1dcb 100644
--- a/chacha20/chachaPoly1305.go
+++ b/chacha20/chachaPoly1305.go
@@ -8,26 +8,18 @@
"crypto/cipher"
"crypto/subtle"
"errors"
- "strconv"
"golang.org/x/crypto/chacha20/chacha"
"golang.org/x/crypto/poly1305"
)
-// The max. size of the auth. tag for the ChaCha20Poly1305 AEAD cipher in
bytes.
+// TagSize is the max. size of the auth. tag for the ChaCha20Poly1305 AEAD
in bytes.
const TagSize = poly1305.TagSize
-type nonceSizeError int
-
-func (n nonceSizeError) Error() string {
- return "invalid nonce size " + strconv.Itoa(int(n))
-}
-
-type authenticationError struct{}
-
-func (a authenticationError) Error() string {
- return "authentication failed"
-}
+var (
+ errAuthFailed = errors.New("authentication failed")
+ errInvalidNonceSize = errors.New("nonce size is invalid")
+)
// NewChaCha20Poly1305 returns a cipher.AEAD implementing the
// ChaCha20Poly1305 construction specified in RFC 7539 with a
@@ -50,7 +42,7 @@
return c, nil
}
-// The AEAD cipher ChaCha20-Poly1305
+// The AEAD cipher ChaCha20Poly1305
type aead struct {
key [32]byte
tagsize int
@@ -62,59 +54,56 @@
func (c *aead) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if n := len(nonce); n != NonceSize {
- panic("chacha20: invalid nonce size " + strconv.Itoa(n))
+ panic("chacha20: " + errInvalidNonceSize.Error())
}
- if len(dst) < len(plaintext)+c.tagsize {
- panic("chacha20: dst buffer to small")
- }
- var Nonce [12]byte
- copy(Nonce[:], nonce)
// create the poly1305 key
+ var Nonce [12]byte
+ copy(Nonce[:], nonce)
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// encrypt the plaintext
n := len(plaintext)
- chacha.XORKeyStream(dst, plaintext, &Nonce, &(c.key), 1, 20)
+ ret, ciphertext := sliceForAppend(dst, n+c.tagsize)
+ chacha.XORKeyStream(ciphertext, plaintext, &Nonce, &(c.key), 1, 20)
// authenticate the ciphertext
var tag [poly1305.TagSize]byte
- authenticate(&tag, dst[:n], additionalData, &polyKey)
- return append(dst[:n], tag[:c.tagsize]...)
+ authenticate(&tag, ciphertext[:n], additionalData, &polyKey)
+ copy(ciphertext[n:], tag[:c.tagsize])
+
+ return ret
}
func (c *aead) Open(dst, nonce, ciphertext, additionalData []byte)
([]byte, error) {
if n := len(nonce); n != NonceSize {
- return nil, nonceSizeError(n)
+ return nil, errInvalidNonceSize
}
if len(ciphertext) < c.tagsize {
- return nil, authenticationError{}
+ return nil, errAuthFailed
}
- if len(dst) < len(ciphertext)-c.tagsize {
- panic("chacha20: dst buffer to small")
- }
- var Nonce [12]byte
-
- copy(Nonce[:], nonce)
-
- hash := ciphertext[len(ciphertext)-c.tagsize:]
- ciphertext = ciphertext[:len(ciphertext)-c.tagsize]
// create the poly1305 key
+ var Nonce [12]byte
+ copy(Nonce[:], nonce)
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// authenticate the ciphertext
+ n := len(ciphertext) - c.tagsize
var tag [poly1305.TagSize]byte
- authenticate(&tag, ciphertext, additionalData, &polyKey)
- if subtle.ConstantTimeCompare(tag[:c.tagsize], hash[:c.tagsize]) != 1 {
- return nil, authenticationError{}
+ authenticate(&tag, ciphertext[:n], additionalData, &polyKey)
+ sum := ciphertext[n:]
+ if subtle.ConstantTimeCompare(tag[:c.tagsize], sum[:c.tagsize]) != 1 {
+ return nil, errAuthFailed
}
// decrypt ciphertext
- chacha.XORKeyStream(dst, ciphertext, &Nonce, &(c.key), 1, 20)
- return dst[:len(ciphertext)], nil
+ ret, plaintext := sliceForAppend(dst, n)
+ chacha.XORKeyStream(plaintext, ciphertext[:n], &Nonce, &(c.key), 1, 20)
+
+ return ret, nil
}
// authenticate calculates the poly1305 tag from
@@ -122,7 +111,7 @@
func authenticate(out *[TagSize]byte, ciphertext, additionalData []byte,
key *[32]byte) {
ctLen := uint64(len(ciphertext))
adLen := uint64(len(additionalData))
- padAD, padCT := adLen%16, ctLen%16
+ padAD, padCT := adLen%TagSize, ctLen%TagSize
var buf [16]byte
buf[0] = byte(adLen)
@@ -154,3 +143,18 @@
poly.Write(buf[:])
poly.Sum(out)
}
+
+// sliceForAppend takes a slice and a requested number of bytes. It
returns a
+// slice with the contents of the given slice followed by that many bytes
and a
+// second slice that aliases into it and contains only the extra bytes. If
the
+// original slice has sufficient capacity then no allocation is performed.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+ if total := len(in) + n; cap(in) >= total {
+ head = in[:total]
+ } else {
+ head = make([]byte, total)
+ copy(head, in)
+ }
+ tail = head[len(in):]
+ return
+}
diff --git a/chacha20/chachaPoly1305_test.go
b/chacha20/chachaPoly1305_test.go
index 4e040e5..d1b554a 100644
--- a/chacha20/chachaPoly1305_test.go
+++ b/chacha20/chachaPoly1305_test.go
@@ -75,13 +75,13 @@
}
buf := make([]byte, len(ciphertext))
- c.Seal(buf, nonce, msg, data)
+ c.Seal(buf[:0], nonce, msg, data)
if !bytes.Equal(buf, ciphertext) {
t.Fatalf("TestVector %d Seal failed:\nFound : %s\nExpected: %s", i,
hex.EncodeToString(buf), hex.EncodeToString(ciphertext))
}
- buf, err = c.Open(buf, nonce, buf, data)
+ buf, err = c.Open(buf[:0], nonce, buf, data)
if err != nil {
t.Fatalf("TestVector %d: Open failed - Cause: %s", i, err)
@@ -148,12 +148,10 @@
mustFail := func(msg string, dst, nonce, src []byte) {
defer recFunc(t, msg)
- c.Seal(dst, nonce, src, nil)
+ c.Seal(dst[:0], nonce, src, nil)
}
mustFail("nonce size is invalid", dst[:], nonce[:NonceSize-1], src[:])
-
- mustFail("dst length invalid", dst[:len(dst)-2], nonce[:], src[:])
}
func TestOpen(t *testing.T) {
@@ -176,16 +174,19 @@
t.Fatal("Open() accepted invalid ciphertext length")
}
- mustFail := func(msg string, dst, nonce, src []byte) {
- defer recFunc(t, msg)
- c.Open(dst, nonce, src, nil)
+ _, err = c.Open(dst[:], nonce[:], src[:TagSize-1], nil)
+ if err == nil {
+ t.Fatal("Open() accepted invalid ciphertext length")
}
- mustFail("dst length invalid", dst[:len(src)-TagSize-1], nonce[:], src[:])
+ _, err = c.Open(dst[:len(src)-TagSize-1], nonce[:], src[:], nil)
+ if err == nil {
+ t.Fatal("Open() accepted invalid dst length")
+ }
// Check tag verification
c.Seal(dst[:], nonce[:], src[:], nil)
- dst[len(src)+1] += 1 // modify tag
+ dst[len(src)+1]++ // modify tag
_, err = c.Open(src[:], nonce[:], dst[:], nil)
if err == nil {
@@ -195,70 +196,42 @@
// Benchmarks
-func BenchmarkSeal64B(b *testing.B) {
+func benchmarkSeal(b *testing.B, size int) {
var key [32]byte
var nonce [12]byte
c := NewChaCha20Poly1305(&key)
- msg := make([]byte, 64)
+ msg := make([]byte, size)
dst := make([]byte, len(msg)+TagSize)
data := make([]byte, 32)
- b.SetBytes(int64(len(msg)))
+ b.SetBytes(int64(size))
b.ResetTimer()
for i := 0; i < b.N; i++ {
- dst = c.Seal(dst, nonce[:], msg, data)
+ dst = c.Seal(dst[:0], nonce[:], msg, data)
}
}
-func BenchmarkSeal16K(b *testing.B) {
+func benchmarkOpen(b *testing.B, size int) {
var key [32]byte
var nonce [12]byte
c := NewChaCha20Poly1305(&key)
- msg := make([]byte, 16*1024)
- dst := make([]byte, len(msg)+TagSize)
+ msg := make([]byte, size)
+ dst := make([]byte, size)
+ ciphertext := make([]byte, size+TagSize)
data := make([]byte, 32)
+ ciphertext = c.Seal(ciphertext[:0], nonce[:], msg, data)
- b.SetBytes(int64(len(msg)))
+ b.SetBytes(int64(size))
b.ResetTimer()
for i := 0; i < b.N; i++ {
- dst = c.Seal(dst, nonce[:], msg, data)
+ dst, _ = c.Open(dst[:0], nonce[:], ciphertext, data)
}
}
-func BenchmarkOpen64B(b *testing.B) {
- var key [32]byte
- var nonce [12]byte
- c := NewChaCha20Poly1305(&key)
+func BenchmarkSeal64B(b *testing.B) { benchmarkSeal(b, 64) }
+func BenchmarkSeal16K(b *testing.B) { benchmarkSeal(b, 16*1024) }
- msg := make([]byte, 64)
- dst := make([]byte, len(msg))
- ciphertext := make([]byte, len(msg)+TagSize)
- data := make([]byte, 32)
- ciphertext = c.Seal(ciphertext, nonce[:], msg, data)
-
- b.SetBytes(int64(len(msg)))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- dst, _ = c.Open(dst, nonce[:], ciphertext, data)
- }
-}
-
-func BenchmarkOpen16K(b *testing.B) {
- var key [32]byte
- var nonce [12]byte
- c := NewChaCha20Poly1305(&key)
-
- msg := make([]byte, 16*1024)
- dst := make([]byte, len(msg))
- ciphertext := make([]byte, len(msg)+TagSize)
- data := make([]byte, 32)
- ciphertext = c.Seal(ciphertext, nonce[:], msg, data)
-
- b.SetBytes(int64(len(msg)))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- dst, _ = c.Open(dst, nonce[:], ciphertext, data)
- }
-}
+func BenchmarkOpen64B(b *testing.B) { benchmarkOpen(b, 64) }
+func BenchmarkOpen16K(b *testing.B) { benchmarkOpen(b, 16*1024) }
--
https://go-review.googlesource.com/25092
Andreas Auernhammer (Gerrit)
Jul 20, 2016, 3:15:27 PM7/20/16
to golang-co...@googlegroups.com
Andreas Auernhammer has abandoned this change.
Change subject: x/crypto: Add the ChaCha20 stream cipher and the
Abandoned
Created by mistake
--
https://go-review.googlesource.com/25092
Change subject: x/crypto: Add the ChaCha20 stream cipher and the
ChaCha20Poly1305 AEAD construction described in RFC 7539.
......................................................................
Abandoned
Created by mistake
--
https://go-review.googlesource.com/25092
Reply all
Reply to author
Forward
0 new messages