// TestNewSessionFailures validates some of the failure modes for NewSession.
func TestNewSessionFailures(t *testing.T) {
r := util.PRNG()
b := &bytes.Buffer{}
util.SetPRNG(b)
if _, _, err := NewSession(peer); err == nil {
util.SetPRNG(r)
t.Fatal("auth: expected new session failure with PRNG failure")
}
tmp := make([]byte, sessionLength)
b.Write(tmp)
if _, _, err := NewSession(peer); err == nil {
util.SetPRNG(r)
t.Fatal("auth: expected new session failure with PRNG failure")
}
util.SetPRNG(r)
tmp = make([]byte, 16)
if _, _, err := NewSession(tmp); err == nil {
t.Fatal("auth: expected new session failure with invalid public key")
}
}
func TestEncrypt(t *testing.T) {
k := GenerateKey()
ct, ok := Encrypt(k, message)
if !ok {
t.Fatal("secret: encrypt fails")
}
pt, ok := Decrypt(k, ct)
if !ok {
t.Fatal("secret: decrypt fails")
}
if !bytes.Equal(pt, message) {
t.Fatal("secret: decrypted plaintext doesn't match original")
}
util.SetPRNG(&bytes.Buffer{})
if _, ok = Encrypt(k, message); ok {
t.Fatal("secret: encrypt should fail with bad PRNG")
}
util.SetPRNG(rand.Reader)
if _, ok = Decrypt(k, message[:nonceSize-1]); ok {
t.Fatal("secret: encrypt should fail with bad ciphertext")
}
}
func TestEncryptFailure(t *testing.T) {
pub := &PublicKey{}
message := []byte("do not go gentle into that good night")
if _, ok := Encrypt(pub, message); ok {
t.Fatal("public: encrypt should fail with invalid public key")
}
util.SetPRNG(&bytes.Buffer{})
if _, ok := Encrypt(testKey.PublicKey, message); ok {
t.Fatal("public: encrypt should fail with PRNG failure")
}
util.SetPRNG(rand.Reader)
out, ok := Encrypt(testKey.PublicKey, message)
if !ok {
t.Fatal("public: encrypt failed")
}
priv := &PrivateKey{}
if _, ok = Decrypt(priv, out); ok {
t.Fatal("public: decrypt should fail with invalid private key")
}
if _, ok = Decrypt(testKey, out[:32]); ok {
t.Fatal("public: decrypt should fail with invalid ciphertext")
}
}
func TestExportKeyFails(t *testing.T) {
util.SetPRNG(&bytes.Buffer{})
if _, err := ExportPrivate(testKey, []byte("hello, world")); err == nil {
t.Fatalf("public: expect exporting private key to fail with PRNG failure")
}
util.SetPRNG(rand.Reader)
}
// TestTOTPPRNGFailure validates failures when the PRNG fails.
func TestTOTPPRNGFailure(t *testing.T) {
oldPRNG := util.PRNG()
util.SetPRNG(&bytes.Buffer{})
_, _, err := NewGoogleTOTP("")
if err == nil {
t.Fatal("auth: expect TOTP generation failure in the face of a PRNG failure")
}
util.SetPRNG(oldPRNG)
}
func TestGenerateKey(t *testing.T) {
if k := GenerateKey(); k == nil {
t.Fatal("secret: failed to generate new key")
}
var buf = new(bytes.Buffer)
util.SetPRNG(buf)
if k := GenerateKey(); k != nil {
log.Printf("key: %x", k)
t.Fatal("secret: should fail to generate new key with bad PRNG")
}
util.SetPRNG(rand.Reader)
}
func TestGenerateFailure(t *testing.T) {
b := &bytes.Buffer{}
util.SetPRNG(b)
_, err := GenerateKey()
if err == nil {
t.Fatalf("%v", err)
}
seed := make([]byte, 32)
b.Write(seed)
_, err = GenerateKey()
if err == nil {
t.Fatalf("%v", err)
}
util.SetPRNG(rand.Reader)
}
func TestLockKey(t *testing.T) {
key, err := GenerateKey()
if err != nil {
t.Fatalf("Failed to generate test key: %v", err)
}
out, ok := EncryptAndSign(testKey, key.PublicKey, message)
if !ok {
t.Fatal("Failed to encrypt and sign message.")
}
locked, ok := LockKey(key, []byte("this is my password"))
if !ok {
t.Fatal("Failed to lock key.")
}
_, ok = UnlockKey(locked, []byte("this is my password."))
if ok {
t.Fatal("Unlocked with wrong passphrase.")
}
priv, ok := UnlockKey(locked, []byte("this is my password"))
if !ok {
t.Fatal("Unlocking key failed.")
}
recovered, ok := DecryptAndVerify(priv, testKey.PublicKey, out)
if !ok {
t.Fatal("Failed to decrypt and verify message.")
}
if !bytes.Equal(message, recovered) {
t.Fatalf("Corrupt message.\nRecovered: %x\nMessage: %x\n",
recovered, message)
}
salt := util.RandBytes(saltSize)
buf := bytes.NewBuffer(salt)
util.SetPRNG(buf)
_, ok = LockKey(priv, []byte("password"))
if ok {
t.Fatal("public: expect locking to fail with bad PRNG")
}
util.SetPRNG(rand.Reader)
}
// TestSessionValidationFailures validates some of the failure modes
// for validating sessions.
func TestSessionValidationFailures(t *testing.T) {
next, err := hex.DecodeString(sessionAuth.Last)
if err != nil {
t.Fatalf("%v", err)
}
otp := testSession.OTP(next)
last := sessionAuth.Last
sessionAuth.Last = "Z" + otp[1:]
if _, err = ValidateSession(sessionAuth, otp); err == nil {
t.Fatalf("auth: expect session validation failure with invalid last value")
}
sessionAuth.Last = last
var tmpOTP string
if otp[0] == 'a' {
tmpOTP = "b" + otp[1:]
} else {
tmpOTP = "a" + otp[1:]
}
if _, err = ValidateSession(sessionAuth, tmpOTP); err == nil {
t.Fatalf("auth: expect session validation failure with invalid last value")
}
offset := 3*sessionLength + 1
if otp[sessionLength+1] == 'a' {
tmpOTP = otp[:offset] + "b" + otp[offset+1:]
} else {
tmpOTP = otp[:offset] + "a" + otp[offset+1:]
}
if _, err = ValidateSession(sessionAuth, tmpOTP); err == nil {
t.Fatal("auth: expect session validation failure with invalid HMAC")
}
b := &bytes.Buffer{}
util.SetPRNG(b)
_, err = ValidateSession(sessionAuth, otp)
util.SetPRNG(rand.Reader)
if err == nil {
t.Fatal("auth: expect session validation failure with PRNG failure")
}
}
func TestEncryptFile(t *testing.T) {
defer os.Remove(testEncryptedFile)
err := EncryptFile(testEncryptedFile, password, dup(message))
if err != nil {
t.Fatalf("%v", err)
}
out, err := DecryptFile(testEncryptedFile, password)
if err != nil {
t.Fatalf("%v", err)
}
if !bytes.Equal(out, message) {
t.Fatal("secret: decrypted file doesn't match original message")
}
if _, err = DecryptFile(testNoSuchFile, password); err == nil {
t.Fatal("secret: decrypt file should fail with IO error")
}
if _, err = DecryptFile(testUnencryptedFile, password); err == nil {
t.Fatal("secret: decrypt file should fail with unencrypted file")
}
salt := util.RandBytes(SaltSize)
buf := &bytes.Buffer{}
util.SetPRNG(buf)
err = EncryptFile(testEncryptedFile, password, dup(message))
if err == nil {
t.Fatal("secret: encrypt file should fail with bad PRNG")
}
buf.Write(salt)
err = EncryptFile(testEncryptedFile, password, dup(message))
if err == nil {
t.Fatal("secret: encrypt file should fail with bad PRNG")
}
util.SetPRNG(rand.Reader)
}
