9331fc6eac
Add 29 new tests across auth/, crypt/, and trust/ packages: - auth: concurrent sessions, token uniqueness, challenge expiry boundary, empty password, long/unicode usernames, air-gapped round-trip, expired refresh - crypt: wrong passphrase, empty/large plaintext, KDF determinism, HKDF info separation, checksum edge cases - trust: concurrent registry operations, tier validation, token expiry boundary, empty ScopedRepos behaviour, unknown capabilities Add benchmark suites: - crypt: Argon2, ChaCha20, AES-GCM, HMAC (1KB/1MB payloads) - trust: PolicyEvaluate (100 agents), RegistryGet, RegistryRegister Security audit documented in FINDINGS.md: - F1: LTHN hash used for password verification (medium) - F2: PGP private keys not zeroed after use (low, upstream limitation) - F3: Empty ScopedRepos bypasses repo scope check (medium) - F4: go vet clean, no math/rand, no secrets in error messages All tests pass with -race. go vet clean. Co-Authored-By: Virgil <virgil@lethean.io> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
103 lines
2.4 KiB
Go
103 lines
2.4 KiB
Go
package crypt
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"testing"
|
|
)
|
|
|
|
// BenchmarkArgon2Derive measures Argon2id key derivation (32-byte key).
|
|
func BenchmarkArgon2Derive(b *testing.B) {
|
|
passphrase := []byte("benchmark-passphrase")
|
|
salt := make([]byte, argon2SaltLen)
|
|
_, _ = rand.Read(salt)
|
|
|
|
b.ResetTimer()
|
|
for i := 0; i < b.N; i++ {
|
|
_ = DeriveKey(passphrase, salt, argon2KeyLen)
|
|
}
|
|
}
|
|
|
|
// BenchmarkChaCha20Encrypt_1KB measures ChaCha20-Poly1305 encryption of 1KB.
|
|
func BenchmarkChaCha20Encrypt_1KB(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
plaintext := make([]byte, 1024)
|
|
_, _ = rand.Read(plaintext)
|
|
|
|
b.ResetTimer()
|
|
b.SetBytes(1024)
|
|
for i := 0; i < b.N; i++ {
|
|
_, _ = ChaCha20Encrypt(plaintext, key)
|
|
}
|
|
}
|
|
|
|
// BenchmarkChaCha20Encrypt_1MB measures ChaCha20-Poly1305 encryption of 1MB.
|
|
func BenchmarkChaCha20Encrypt_1MB(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
plaintext := make([]byte, 1024*1024)
|
|
_, _ = rand.Read(plaintext)
|
|
|
|
b.ResetTimer()
|
|
b.SetBytes(1024 * 1024)
|
|
for i := 0; i < b.N; i++ {
|
|
_, _ = ChaCha20Encrypt(plaintext, key)
|
|
}
|
|
}
|
|
|
|
// BenchmarkAESGCMEncrypt_1KB measures AES-256-GCM encryption of 1KB.
|
|
func BenchmarkAESGCMEncrypt_1KB(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
plaintext := make([]byte, 1024)
|
|
_, _ = rand.Read(plaintext)
|
|
|
|
b.ResetTimer()
|
|
b.SetBytes(1024)
|
|
for i := 0; i < b.N; i++ {
|
|
_, _ = AESGCMEncrypt(plaintext, key)
|
|
}
|
|
}
|
|
|
|
// BenchmarkAESGCMEncrypt_1MB measures AES-256-GCM encryption of 1MB.
|
|
func BenchmarkAESGCMEncrypt_1MB(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
plaintext := make([]byte, 1024*1024)
|
|
_, _ = rand.Read(plaintext)
|
|
|
|
b.ResetTimer()
|
|
b.SetBytes(1024 * 1024)
|
|
for i := 0; i < b.N; i++ {
|
|
_, _ = AESGCMEncrypt(plaintext, key)
|
|
}
|
|
}
|
|
|
|
// BenchmarkHMACSHA256_1KB measures HMAC-SHA256 of a 1KB message.
|
|
func BenchmarkHMACSHA256_1KB(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
message := make([]byte, 1024)
|
|
_, _ = rand.Read(message)
|
|
|
|
b.ResetTimer()
|
|
b.SetBytes(1024)
|
|
for i := 0; i < b.N; i++ {
|
|
_ = HMACSHA256(message, key)
|
|
}
|
|
}
|
|
|
|
// BenchmarkVerifyHMACSHA256 measures HMAC verification (constant-time compare).
|
|
func BenchmarkVerifyHMACSHA256(b *testing.B) {
|
|
key := make([]byte, 32)
|
|
_, _ = rand.Read(key)
|
|
message := make([]byte, 1024)
|
|
_, _ = rand.Read(message)
|
|
mac := HMACSHA256(message, key)
|
|
|
|
b.ResetTimer()
|
|
for i := 0; i < b.N; i++ {
|
|
_ = VerifyHMAC(message, key, mac, sha256.New)
|
|
}
|
|
}
|