From 6e8e0a93f9dd9bcb22f052b8aa1f9079ed3ff7a6 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Wed, 16 Aug 2017 14:53:16 +0200
Subject: [PATCH] Add a couple tests for crypto_secretstream_*()

---
 .gitignore                                    |   1 +
 .../secretstream_xchacha20poly1305.c          |   6 +-
 test/default/Makefile.am                      |   8 +
 test/default/secretstream.c                   | 181 ++++++++++++++++++
 test/default/secretstream.exp                 |   1 +
 5 files changed, 195 insertions(+), 2 deletions(-)
 create mode 100644 test/default/secretstream.c
 create mode 100644 test/default/secretstream.exp

diff --git a/.gitignore b/.gitignore
index e0281ae9..526277f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -134,6 +134,7 @@ test/default/secretbox7
 test/default/secretbox8
 test/default/secretbox_easy
 test/default/secretbox_easy2
+test/default/secretstream
 test/default/shorthash
 test/default/sign
 test/default/siphashx24
diff --git a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
index 32d01b3b..b2ed5141 100644
--- a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
+++ b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
@@ -33,8 +33,10 @@ crypto_secretstream_xchacha20poly1305_init_push
     unsigned char out[crypto_secretstream_xchacha20poly1305_INITBYTES],
     const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
 {
-    randombytes_buf(out, crypto_core_hchacha20_INPUTBYTES +
-                    crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_INITBYTES ==
+                    crypto_core_hchacha20_INPUTBYTES + crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+
+    randombytes_buf(out, crypto_secretstream_xchacha20poly1305_INITBYTES);
     crypto_core_hchacha20(state->k, out, k, NULL);
     memcpy(state->nonce, out + crypto_core_hchacha20_INPUTBYTES,
            crypto_secretstream_xchacha20poly1305_INONCEBYTES);
diff --git a/test/default/Makefile.am b/test/default/Makefile.am
index 2cda92e4..4e1d79d3 100644
--- a/test/default/Makefile.am
+++ b/test/default/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = \
 	secretbox8.exp \
 	secretbox_easy.exp \
 	secretbox_easy2.exp \
+	secretstream.exp \
 	shorthash.exp \
 	sign.exp \
 	siphashx24.exp \
@@ -127,6 +128,7 @@ DISTCLEANFILES = \
 	secretbox8.res \
 	secretbox_easy.res \
 	secretbox_easy2.res \
+	secretstream.res \
 	shorthash.res \
 	sign.res \
 	siphashx24.res \
@@ -198,6 +200,7 @@ CLEANFILES = \
 	secretbox8.final \
 	secretbox_easy.final \
 	secretbox_easy2.final \
+	secretstream.final \
 	shorthash.final \
 	sign.final \
 	siphashx24.final \
@@ -264,6 +267,7 @@ CLEANFILES = \
 	secretbox8.nexe \
 	secretbox_easy.nexe \
 	secretbox_easy2.nexe \
+	secretstream.nexe \
 	shorthash.nexe \
 	sign.nexe \
 	siphashx24.nexe \
@@ -340,6 +344,7 @@ TESTS_TARGETS = \
 	secretbox8 \
 	secretbox_easy \
 	secretbox_easy2 \
+	secretstream \
 	shorthash \
 	sign \
 	sodium_core \
@@ -525,6 +530,9 @@ secretbox_easy_LDADD      = $(TESTS_LDADD)
 secretbox_easy2_SOURCE    = cmptest.h secretbox_easy2.c
 secretbox_easy2_LDADD     = $(TESTS_LDADD)
 
+secretstream_SOURCE       = cmptest.h secretstream.c
+secretstream_LDADD        = $(TESTS_LDADD)
+
 shorthash_SOURCE          = cmptest.h shorthash.c
 shorthash_LDADD           = $(TESTS_LDADD)
 
diff --git a/test/default/secretstream.c b/test/default/secretstream.c
new file mode 100644
index 00000000..bd080667
--- /dev/null
+++ b/test/default/secretstream.c
@@ -0,0 +1,181 @@
+
+#define TEST_NAME "secretstream"
+#include "cmptest.h"
+
+int
+main(void)
+{
+    crypto_secretstream_xchacha20poly1305_state *state;
+    unsigned char *header;
+    unsigned char *k;
+    unsigned char *c1, *c2, *c3;
+    unsigned char *m1, *m2, *m3;
+    unsigned char *m1_, *m2_, *m3_;
+    size_t         m1_len, m2_len, m3_len;
+    int            ret;
+    unsigned char  tag;
+
+    state = (crypto_secretstream_xchacha20poly1305_state *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_statebytes());
+    header = (unsigned char *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_INITBYTES);
+
+    m1_len = randombytes_uniform(1000);
+    m2_len = randombytes_uniform(1000);
+    m3_len = randombytes_uniform(1000);
+
+    c1 = (unsigned char *)
+        sodium_malloc(m1_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    c2 = (unsigned char *)
+        sodium_malloc(m2_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    c3 = (unsigned char *)
+        sodium_malloc(m3_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+
+    m1  = (unsigned char *) sodium_malloc(m1_len);
+    m2  = (unsigned char *) sodium_malloc(m2_len);
+    m3  = (unsigned char *) sodium_malloc(m3_len);
+    m1_ = (unsigned char *) sodium_malloc(m1_len);
+    m2_ = (unsigned char *) sodium_malloc(m2_len);
+    m3_ = (unsigned char *) sodium_malloc(m3_len);
+
+    randombytes_buf(m1, m1_len);
+    memcpy(m1_, m1, m1_len);
+    randombytes_buf(m2, m2_len);
+    memcpy(m2_, m2, m2_len);
+    randombytes_buf(m3, m3_len);
+    memcpy(m3_, m3, m3_len);
+
+    k = (unsigned char *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_KEYBYTES);
+    crypto_secretstream_xchacha20poly1305_keygen(k);
+
+    /* push */
+
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, NULL, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, NULL, 0, 0);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c3, NULL, m3, m3_len, NULL, 0,
+         crypto_secretstream_xchacha20poly1305_TAG_FINAL);
+    assert(ret == 0);
+
+    /* pull */
+
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, NULL, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == 0);
+    assert(memcmp(m1, m1_, m1_len) == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == 0);
+    assert(memcmp(m2, m2_, m2_len) == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m3, NULL, &tag,
+         c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL);
+    assert(memcmp(m3, m3_, m3_len) == 0);
+
+    /* previous with FINAL tag */
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m3, NULL, &tag,
+         c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+
+    /* previous without a tag */
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+
+    /* without explicit rekeying */
+
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, NULL, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, NULL, 0, 0);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, NULL, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+
+    /* with explicit rekeying */
+
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, NULL, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+
+    crypto_secretstream_xchacha20poly1305_rekey(state);
+
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, NULL, 0, 0);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, NULL, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+
+    crypto_secretstream_xchacha20poly1305_rekey(state);
+
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+
+    sodium_free(m3_);
+    sodium_free(m2_);
+    sodium_free(m1_);
+    sodium_free(m3);
+    sodium_free(m2);
+    sodium_free(m1);
+    sodium_free(c3);
+    sodium_free(c2);
+    sodium_free(c1);
+    sodium_free(k);
+    sodium_free(header);
+    sodium_free(state);
+    
+    printf("OK\n");
+
+    return 0;
+}
diff --git a/test/default/secretstream.exp b/test/default/secretstream.exp
new file mode 100644
index 00000000..d86bac9d
--- /dev/null
+++ b/test/default/secretstream.exp
@@ -0,0 +1 @@
+OK