From 04ca8ff8d34c975261d13c47be4eae797e70a402 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Mon, 17 Jul 2017 18:15:02 +0200
Subject: [PATCH] more tests for crypto_chacha20_set_ctr()

---
 tests/properties.c | 47 ++++++++++++++++++++++++++--------------------
 tests/sodium.c     | 28 ++++++++++++++++++++++-----
 2 files changed, 50 insertions(+), 25 deletions(-)

diff --git a/tests/properties.c b/tests/properties.c
index d5ffdf5..9803ca6 100644
--- a/tests/properties.c
+++ b/tests/properties.c
@@ -26,21 +26,17 @@ void p_random(u8 *stream, size_t size)
     crypto_chacha20_stream(&ctx, stream, size);
 }
 
-static u32 load32_le(const u8 s[4])
+// Random 64 bit number
+u64 rand64()
 {
-    return (u32)s[0]
-        | ((u32)s[1] <<  8)
-        | ((u32)s[2] << 16)
-        | ((u32)s[3] << 24);
-}
-
-// Random number between 0 and max.
-// Unbalanced if max is not a power of 2.
-u32 rand_mod(u32 max)
-{
-    u8 n[4];
-    p_random(n, 4);
-    return load32_le(n) % max;
+    u8  tmp;
+    u64 result = 0;
+    FOR (i, 0, 8) {
+        p_random(&tmp, 1);
+        result <<= 8;
+        result  += tmp;
+    }
+    return result;
 }
 
 // Tests that encrypting in chunks yields the same result than
@@ -65,7 +61,7 @@ static int chacha20()
         crypto_chacha_ctx ctx;
         crypto_chacha20_init(&ctx, key, nonce);
         while (1) {
-            size_t chunk_size = rand_mod(c_max_size);
+            size_t chunk_size = rand64() % c_max_size;
             if (offset + chunk_size > input_size) { break; }
             u8 *out = output_chunk + offset;
             u8 *in  = input        + offset;
@@ -90,11 +86,12 @@ static int chacha20_set_ctr()
     static const size_t stream_size = block_size * nb_blocks;
     int status = 0;
     FOR (i, 0, 1000) {
-        u8 output_part[stream_size];
-        u8 output_all [stream_size];
+        u8 output_part[stream_size    ];
+        u8 output_all [stream_size    ];
+        u8 output_more[stream_size * 2];
         u8 key        [32];          p_random(key  , 32);
         u8 nonce      [8];           p_random(nonce, 8 );
-        size_t ctr   = rand_mod(nb_blocks);
+        size_t ctr   = rand64() % nb_blocks;
         size_t limit = ctr * block_size;
         // Encrypt all at once
         crypto_chacha_ctx ctx;
@@ -108,6 +105,16 @@ static int chacha20_set_ctr()
         crypto_chacha20_stream(&ctx, output_part, limit);
         // Compare the results (must be the same)
         status |= crypto_memcmp(output_part, output_all, stream_size);
+
+        // Encrypt before the begining
+        crypto_chacha20_set_ctr(&ctx, -ctr);
+        crypto_chacha20_stream(&ctx,
+                               output_more + stream_size - limit,
+                               stream_size + limit);
+        // Compare the results (must be the same)
+        status |= crypto_memcmp(output_more + stream_size,
+                                output_all,
+                                stream_size);
     }
     printf("%s: Chacha20 (set counter)\n", status != 0 ? "FAILED" : "OK");
     return status;
@@ -134,7 +141,7 @@ static int poly1305()
         crypto_poly1305_ctx ctx;
         crypto_poly1305_init(&ctx, key);
         while (1) {
-            size_t chunk_size = rand_mod(c_max_size);
+            size_t chunk_size = rand64() % c_max_size;
             if (offset + chunk_size > input_size) { break; }
             crypto_poly1305_update(&ctx, input + offset, chunk_size);
             offset += chunk_size;
@@ -173,7 +180,7 @@ static int blake2b()
         crypto_blake2b_ctx ctx;
         crypto_blake2b_init(&ctx);
         while (1) {
-            size_t chunk_size = rand_mod(c_max_size);
+            size_t chunk_size = rand64() % c_max_size;
             if (offset + chunk_size > input_size) { break; }
             crypto_blake2b_update(&ctx, input + offset, chunk_size);
             offset += chunk_size;
diff --git a/tests/sodium.c b/tests/sodium.c
index d2819fa..ce377ff 100644
--- a/tests/sodium.c
+++ b/tests/sodium.c
@@ -6,7 +6,8 @@
 #include <sodium.h>
 
 #define FOR(i, start, end) for (size_t (i) = (start); (i) < (end); (i)++)
-typedef uint8_t u8;
+typedef uint8_t  u8;
+typedef uint64_t u64;
 
 // Deterministic "random" number generator, so we can make "random", yet
 // reproducible tests.  To change the random stream, change the seed.
@@ -23,6 +24,19 @@ void p_random(u8 *stream, u8 size)
     rename_chacha20_stream(&ctx, stream, size);
 }
 
+// Random 64 bit number
+u64 rand64()
+{
+    u8  tmp;
+    u64 result = 0;
+    FOR (i, 0, 8) {
+        p_random(&tmp, 1);
+        result <<= 8;
+        result  += tmp;
+    }
+    return result;
+}
+
 static int chacha20(void)
 {
     u8  key[32], nonce[8], in[256], mono[256], sodium[256];
@@ -31,10 +45,12 @@ static int chacha20(void)
         p_random(key, 32);
         p_random(nonce, 8);
         p_random(in, size);
+        u64 ctr = rand64();
         rename_chacha_ctx ctx;
-        rename_chacha20_init(&ctx, key, nonce);
+        rename_chacha20_init   (&ctx, key, nonce);
+        rename_chacha20_set_ctr(&ctx, ctr);
         rename_chacha20_encrypt(&ctx, mono, in, size);
-        crypto_stream_chacha20_xor(sodium, in, size, nonce, key);
+        crypto_stream_chacha20_xor_ic(sodium, in, size, nonce, ctr, key);
         status |= rename_memcmp(mono, sodium, size);
     }
     printf("%s: Chacha20\n", status != 0 ? "FAILED" : "OK");
@@ -49,10 +65,12 @@ static int xchacha20(void)
         p_random(key, 32);
         p_random(nonce, 24);
         p_random(in, size);
+        u64 ctr = rand64();
         rename_chacha_ctx ctx;
-        rename_chacha20_x_init(&ctx, key, nonce);
+        rename_chacha20_x_init (&ctx, key, nonce);
+        rename_chacha20_set_ctr(&ctx, ctr);
         rename_chacha20_encrypt(&ctx, mono, in, size);
-        crypto_stream_xchacha20_xor(sodium, in, size, nonce, key);
+        crypto_stream_xchacha20_xor_ic(sodium, in, size, nonce, ctr, key);
         status |= rename_memcmp(mono, sodium, size);
     }
     printf("%s: XChacha20\n", status != 0 ? "FAILED" : "OK");
-- 
2.47.3