diff --git a/xchacha20poly1305/xchachapoly.go b/xchacha20poly1305/xchachapoly.go
index 96413b8c1..9e0778579 100644
--- a/xchacha20poly1305/xchachapoly.go
+++ b/xchacha20poly1305/xchachapoly.go
@@ -4,6 +4,7 @@ import (
 	"crypto/cipher"
 	"encoding/binary"
 	"errors"
+	"fmt"
 
 	"golang.org/x/crypto/chacha20poly1305"
 )
@@ -64,10 +65,10 @@ func (c *xchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) [
 
 func (c *xchacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
 	if len(nonce) != NonceSize {
-		panic("xchacha20poly1305: bad nonce length passed to Open")
+		return nil, fmt.Errorf("xchacha20poly1305: bad nonce length passed to Open")
 	}
 	if uint64(len(ciphertext)) > (1<<38)-48 {
-		panic("xchacha20poly1305: ciphertext too large")
+		return nil, fmt.Errorf("xchacha20poly1305: ciphertext too large")
 	}
 	var subKey [KeySize]byte
 	var hNonce [16]byte
diff --git a/xchacha20poly1305/xchachapoly_test.go b/xchacha20poly1305/xchachapoly_test.go
index 460b90ab4..3001217f4 100644
--- a/xchacha20poly1305/xchachapoly_test.go
+++ b/xchacha20poly1305/xchachapoly_test.go
@@ -80,6 +80,13 @@ func TestVectors(t *testing.T) {
 		if !bytes.Equal(dst, v.ciphertext) {
 			t.Errorf("Test %d: ciphertext mismatch:\n \t got:  %s\n \t want: %s", i, toHex(dst), toHex(v.ciphertext))
 		}
+		open, err := aead.Open(nil, nonce[:], dst, v.ad)
+		if err != nil {
+			t.Error(err)
+		}
+		if !bytes.Equal(open, v.plaintext) {
+			t.Errorf("Test %d: plaintext mismatch:\n \t got:  %s\n \t want: %s", i, string(open), string(v.plaintext))
+		}
 	}
 }