RubyGems - rbnacl-libsodium - Versions diffs - 1.0.13 → 1.0.15 - Mend

rbnacl-libsodium 1.0.13 → 1.0.15

Files changed (201) hide show

data/vendor/libsodium/test/default/pwhash_argon2id.exp CHANGED

@@ -4,12 +4,11 @@
 [tv] pwhash failure (maybe intentional): [3]
 08d8cd330c57e1b4643241d05bb468ba4ee4e932cd0858816be9ef15360b27bbd06a87130ee92222be267a29b81f5ae8fe8613324cfc4832dc49387fd0602f1c57b4d0f3855db94fb7e12eb05f9a484aed4a4307abf586cd3d55c809bc081541e00b682772fb2066504ff935b8ebc551a2083882f874bc0fae68e56848ae34c91097c3bf0cca8e75c0797eef3efde3f75e005815018db3cf7c109a812264c4de69dcb22322dbbcfa447f5b00ecd1b04a7be1569c8e556adb7bba48adf81d
 d6e9d6cabd42fb9ba7162fe9b8e41d59d3c7034756cb460c9affe393308bd0225ce0371f2e6c3ca32aca2002bf2d3909c6b6e7dfc4a00e850ff4f570f8f749d4bb6f0091e554be67a9095ae1eefaa1a933316cbec3c2fd4a14a5b6941bda9b7eabd821d79abde2475a53af1a8571c7ee46460be415882e0b393f48c12f740a6a72cba9773000602e13b40d3dfa6ac1d4ec43a838b7e3e165fecad4b2498389e60a3ff9f0f8f4b9fca1126e64f49501e38690
-[tv] pwhash failure (maybe intentional): [6]
+7fb72409b0987f8190c3729710e98c3f80c5a8727d425fdcde7f3644d467fe973f5b5fee683bd3fce812cb9ae5e9921a2d06c2f1905e4e839692f2b934b682f11a2fe2b90482ea5dd234863516dba6f52dc0702d324ec77d860c2e181f84472bd7104fedce071ffa93c5309494ad51623d214447a7b2b1462dc7d5d55a1f6fd5b54ce024118d86f0c6489d16545aaa87b6689dad9f2fb47fda9894f8e12b87d978b483ccd4cc5fd9595cdc7a818452f915ce2f7df95ec12b1c72e3788d473441d884f9748eb14703c21b45d82fd667b85f5b2d98c13303b3fe76285531a826b6fc0fe8e3dddecf
 4e702bc5f891df884c6ddaa243aa846ce3c087fe930fef0f36b3c2be34164ccc295db509254743f18f947159c813bcd5dd8d94a3aec93bbe57605d1fad1aef1112687c3d4ef1cb329d21f1632f626818d766915d886e8d819e4b0b9c9307f4b6afc081e13b0cf31db382ff1bf05a16aac7af696336d75e99f82163e0f371e1d25c4add808e215697ad3f779a51a462f8bf52610af21fc69dba6b072606f2dabca7d4ae1d91d919
 2d232f9dc4de96628b2a4c2b39ceb6a813011fb74a3ba1da096761fabe08f563bd91366aba5c5e35aecd98643cabc16ce560dca261a963230a1fa2af52f2413a57a827c6ee13bcec0c123d195914a55700ccb5756196a86fb9cb4aeacccc0e6dd850f4386b705aaae147ea347543b7fbe24553d9da41f1b335b6e9980cdb966cf7b48520eb42a7269380c885dbefbccf447851fcacbe1753a5b9e1
 34b207147fb7ef83e1ca1a97e30aa6e08ea9b6b1048c59c9c13050dff33e76ce3c440d7f018f817e6b8593e78f339ba633b9d7ec3519b5eafbcc4bc2d20b5136bbc7e5b7e92ff37d024bbbecf5738f718ab22c8adcdb82ceffc233b8ad61f91850abdfe8bb119775d9c4243ec1ac761dfbd132489228dfeab5268c7f0ddc29f56b957d1b76c874cdd77e16139e0df9b847248fd782c9a1147b8480
 [tv3] pwhash_argon2id_str failure (maybe intentional): [0]
 [tv3] pwhash_argon2id_str failure (maybe intentional): [1]
-[tv3] pwhash_argon2id_str failure (maybe intentional): [2]
 [tv3] pwhash_argon2id_str failure (maybe intentional): [3]
-pwhash_argon2id_str failure
+OK

data/vendor/libsodium/test/default/pwhash_scrypt.c CHANGED

@@ -10,9 +10,9 @@ static void
 tv(void)
 {
     static struct {
-        const char *       passwd_hex;
+        const char        *passwd_hex;
         size_t             passwdlen;
-        const char *       salt_hex;
+        const char        *salt_hex;
         size_t             outlen;
         unsigned long long opslimit;
         size_t             memlimit;
@@ -117,9 +117,9 @@ static void
 tv2(void)
 {
     static struct {
-        const char *       passwd_hex;
+        const char        *passwd_hex;
         size_t             passwdlen;
-        const char *       salt_hex;
+        const char        *salt_hex;
         size_t             outlen;
         unsigned long long opslimit;
         size_t             memlimit;
@@ -260,8 +260,19 @@ tv3(void)
         { "Y0!?iQa9M%5ekffW(`", "$7$" },
         { "Y0!?iQa9M%5ekffW(`", "" },
         { "Y0!?iQa9M%5ekffW(`",
-          "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$"
-          "" },
+          "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" },
+        { "test",
+          "$7$.6..../.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." },
+        { "test",
+          "$7$z6..../.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." },
+        { "test",
+          "$7$8zzzzz/.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." },
+        { "test",
+          "$7$8zzzzzzzzzz.lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." },
+        { "test",
+          "$7$8.....zzzzz.lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." },
+        { "test",
+          "$7$86..../..../lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }
     };
     char * out;
     char * passwd;
@@ -283,17 +294,14 @@ tv3(void)
     } while (++i < (sizeof tests) / (sizeof tests[0]));
 }
-int
-main(void)
+static void
+str_tests(void)
 {
-    char *      str_out;
-    char *      str_out2;
-    char *      salt;
+    char       *str_out;
+    char       *str_out2;
+    char       *salt;
     const char *passwd = "Correct Horse Battery Staple";
-    tv();
-    tv2();
-    tv3();
     salt = (char *) sodium_malloc(crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
     str_out =
         (char *) sodium_malloc(crypto_pwhash_scryptsalsa208sha256_STRBYTES);
@@ -312,6 +320,24 @@ main(void)
     if (strcmp(str_out, str_out2) == 0) {
         printf("pwhash_str doesn't generate different salts\n");
     }
+    if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out, OPSLIMIT, MEMLIMIT) != 0) {
+        printf("needs_rehash() false positive\n");
+    }
+    if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out, OPSLIMIT, MEMLIMIT / 2) != 1 ||
+        crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out, OPSLIMIT / 2, MEMLIMIT) != 1 ||
+        crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out, OPSLIMIT, MEMLIMIT * 2) != 1 ||
+        crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out, OPSLIMIT * 2, MEMLIMIT) != 1) {
+        printf("needs_rehash() false negative\n");
+    }
+    if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+        (str_out + 1, OPSLIMIT, MEMLIMIT) != -1) {
+        printf("needs_rehash() didn't fail with an invalid hash string\n");
+    }
     if (crypto_pwhash_scryptsalsa208sha256_str_verify(str_out, passwd,
                                                       strlen(passwd)) != 0) {
         printf("pwhash_str_verify failure\n");
@@ -328,6 +354,27 @@ main(void)
     str_out[14]--;
     assert(str_out[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U] == 0);
+    assert(crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+           (str_out, 0, 0) == 1);
+    assert(crypto_pwhash_str_needs_rehash(str_out, 0, 0) == -1);
+    assert(crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT) == -1);
+    assert(crypto_pwhash_scryptsalsa208sha256_str_needs_rehash
+           ("", OPSLIMIT, MEMLIMIT) == -1);
+    sodium_free(salt);
+    sodium_free(str_out);
+    sodium_free(str_out2);
+}
+int
+main(void)
+{
+    tv();
+    tv2();
+    tv3();
+    str_tests();
     assert(crypto_pwhash_scryptsalsa208sha256_bytes_min() > 0U);
     assert(crypto_pwhash_scryptsalsa208sha256_bytes_max() >
            crypto_pwhash_scryptsalsa208sha256_bytes_min());
@@ -347,10 +394,6 @@ main(void)
     assert(crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive() > 0U);
     assert(crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive() > 0U);
-    sodium_free(salt);
-    sodium_free(str_out);
-    sodium_free(str_out2);
     printf("OK\n");
     return 0;

data/vendor/libsodium/test/default/pwhash_scrypt.exp CHANGED

@@ -29,4 +29,10 @@ pwhash_str failure: [24]
 pwhash_str failure: [25]
 pwhash_str failure: [26]
 pwhash_str failure: [27]
+pwhash_str failure: [28]
+pwhash_str failure: [29]
+pwhash_str failure: [30]
+pwhash_str failure: [31]
+pwhash_str failure: [32]
+pwhash_str failure: [33]
 OK

data/vendor/libsodium/test/default/randombytes.c CHANGED

@@ -39,12 +39,14 @@ randombytes_tests(void)
     unsigned int  i;
     uint32_t      n;
-#ifdef __EMSCRIPTEN__
+#ifndef BENCHMARKS
+# ifdef __EMSCRIPTEN__
     assert(strcmp(randombytes_implementation_name(), "js") == 0);
-#elif defined(__native_client__)
+# elif defined(__native_client__)
     assert(strcmp(randombytes_implementation_name(), "nativeclient") == 0);
-#else
+# else
     assert(strcmp(randombytes_implementation_name(), "sysrandom") == 0);
+# endif
 #endif
     randombytes(x, 1U);
     do {
@@ -137,6 +139,7 @@ impl_tests(void)
     impl.uniform = randombytes_uniform_impl;
     randombytes_close();
     randombytes_set_implementation(&impl);
+    assert(randombytes_uniform(1) == 1);
     assert(randombytes_uniform(v) == v);
     assert(randombytes_uniform(v) == v);
     assert(randombytes_uniform(v) == v);
@@ -158,5 +161,7 @@ main(void)
 #endif
     printf("OK\n");
+    randombytes_set_implementation(&randombytes_salsa20_implementation);
     return 0;
 }

data/vendor/libsodium/test/default/secretbox.c CHANGED

@@ -55,11 +55,17 @@ main(void)
     }
     printf("\n");
+    assert(crypto_secretbox(c, c, 31, nonce, firstkey) == -1);
+    assert(crypto_secretbox(c, c, 12, nonce, firstkey) == -1);
+    assert(crypto_secretbox(c, c, 1, nonce, firstkey) == -1);
+    assert(crypto_secretbox(c, c, 0, nonce, firstkey) == -1);
     assert(crypto_secretbox_keybytes() > 0U);
     assert(crypto_secretbox_noncebytes() > 0U);
     assert(crypto_secretbox_zerobytes() > 0U);
     assert(crypto_secretbox_boxzerobytes() > 0U);
     assert(crypto_secretbox_macbytes() > 0U);
+    assert(crypto_secretbox_messagebytes_max() > 0U);
     assert(strcmp(crypto_secretbox_primitive(), "xsalsa20poly1305") == 0);
     assert(crypto_secretbox_keybytes() ==
            crypto_secretbox_xsalsa20poly1305_keybytes());
@@ -71,6 +77,8 @@ main(void)
            crypto_secretbox_xsalsa20poly1305_boxzerobytes());
     assert(crypto_secretbox_macbytes() ==
            crypto_secretbox_xsalsa20poly1305_macbytes());
+    assert(crypto_secretbox_messagebytes_max() ==
+           crypto_secretbox_xsalsa20poly1305_messagebytes_max());
     return 0;
 }

data/vendor/libsodium/test/default/secretbox2.c CHANGED

@@ -46,5 +46,10 @@ main(void)
         }
         printf("\n");
     }
+    assert(crypto_secretbox_open(m, c, 31, nonce, firstkey) == -1);
+    assert(crypto_secretbox_open(m, c, 16, nonce, firstkey) == -1);
+    assert(crypto_secretbox_open(m, c, 1, nonce, firstkey) == -1);
+    assert(crypto_secretbox_open(m, c, 0, nonce, firstkey) == -1);
     return 0;
 }

data/vendor/libsodium/test/default/secretbox_easy.c CHANGED

@@ -76,7 +76,7 @@ main(void)
     }
     printf("\n");
-    assert(crypto_secretbox_easy(c, m, SIZE_MAX - 1U, nonce, firstkey) == -1);
+    assert(crypto_secretbox_easy(c, m, 0, nonce, firstkey) == 0);
     /* Null message */
@@ -99,6 +99,24 @@ main(void)
         printf("Null tampered crypto_secretbox_open_easy() failed\n");
     }
+    /* No overlap, but buffers are next to each other */
+    memset(c, 0, 131 + crypto_secretbox_MACBYTES + 1);
+    memcpy(c, m, 20);
+    crypto_secretbox_easy(c, c + 10, 10, nonce, firstkey);
+    for (i = 0; i < 10 + crypto_secretbox_MACBYTES; ++i) {
+        printf(",0x%02x", (unsigned int) c[i]);
+    }
+    printf("\n");
+    memset(c, 0, 131 + crypto_secretbox_MACBYTES + 1);
+    memcpy(c, m, 20);
+    crypto_secretbox_easy(c + 10, c, 10, nonce, firstkey);
+    for (i = 0; i < 10 + crypto_secretbox_MACBYTES; ++i) {
+        printf(",0x%02x", (unsigned int) c[i]);
+    }
+    printf("\n");
     sodium_free(mac);
     sodium_free(c);

data/vendor/libsodium/test/default/secretbox_easy.exp CHANGED

@@ -5,3 +5,5 @@
 ,0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5,0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9,0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73,0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce,0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4,0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a,0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b,0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72,0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2,0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38,0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a,0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae,0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea,0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda,0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde,0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3,0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6,0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74,0xe3,0x55,0xa5
 ,0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,0x8e
 ,0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,0x8e
+,0x8c,0xf3,0x90,0x57,0xc9,0xbc,0xf2,0xba,0x98,0x87,0xfb,0x15,0x9f,0x21,0x0c,0xd8,0x23,0x88,0x8f,0xb1,0x78,0x92,0xb2,0x8e,0xc8,0xa8
+,0xbe,0x07,0x5f,0xc5,0x3c,0x81,0xf2,0xd5,0xcf,0x14,0xd2,0xe8,0xe8,0x1a,0xac,0xd2,0xba,0x1b,0xaa,0x60,0x99,0xe3,0xd9,0x63,0x56,0x18

data/vendor/libsodium/test/default/secretbox_easy2.c CHANGED

@@ -40,6 +40,10 @@ main(void)
         }
     }
     crypto_secretbox_detached(c, mac, m, (unsigned long long) mlen, nonce, k);
+    if (crypto_secretbox_open_detached(NULL, c, mac, (unsigned long long) mlen,
+                                       nonce, k) != 0) {
+        printf("crypto_secretbox_open_detached() with a NULL message pointer failed\n");
+    }
     if (crypto_secretbox_open_detached(m2, c, mac, (unsigned long long) mlen,
                                        nonce, k) != 0) {
         printf("crypto_secretbox_open_detached() failed\n");

data/vendor/libsodium/test/default/secretstream.c ADDED

@@ -0,0 +1,280 @@
+#define TEST_NAME "secretstream"
+#include "cmptest.h"
+int
+main(void)
+{
+    crypto_secretstream_xchacha20poly1305_state *state;
+    crypto_secretstream_xchacha20poly1305_state state_copy;
+    unsigned char      *ad;
+    unsigned char      *header;
+    unsigned char      *k;
+    unsigned char      *c1, *c2, *c3;
+    unsigned char      *m1, *m2, *m3;
+    unsigned char      *m1_, *m2_, *m3_;
+    unsigned long long  res_len;
+    size_t              ad_len;
+    size_t              m1_len, m2_len, m3_len;
+    int                 ret;
+    unsigned char       tag;
+    state = (crypto_secretstream_xchacha20poly1305_state *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_statebytes());
+    header = (unsigned char *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_HEADERBYTES);
+    ad_len = randombytes_uniform(100);
+    m1_len = randombytes_uniform(1000);
+    m2_len = randombytes_uniform(1000);
+    m3_len = randombytes_uniform(1000);
+    c1 = (unsigned char *)
+        sodium_malloc(m1_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    c2 = (unsigned char *)
+        sodium_malloc(m2_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    c3 = (unsigned char *)
+        sodium_malloc(m3_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    ad  = (unsigned char *) sodium_malloc(ad_len);
+    m1  = (unsigned char *) sodium_malloc(m1_len);
+    m2  = (unsigned char *) sodium_malloc(m2_len);
+    m3  = (unsigned char *) sodium_malloc(m3_len);
+    m1_ = (unsigned char *) sodium_malloc(m1_len);
+    m2_ = (unsigned char *) sodium_malloc(m2_len);
+    m3_ = (unsigned char *) sodium_malloc(m3_len);
+    randombytes_buf(ad, ad_len);
+    randombytes_buf(m1, m1_len);
+    memcpy(m1_, m1, m1_len);
+    randombytes_buf(m2, m2_len);
+    memcpy(m2_, m2, m2_len);
+    randombytes_buf(m3, m3_len);
+    memcpy(m3_, m3, m3_len);
+    k = (unsigned char *)
+        sodium_malloc(crypto_secretstream_xchacha20poly1305_KEYBYTES);
+    crypto_secretstream_xchacha20poly1305_keygen(k);
+    /* push */
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, &res_len, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+    assert(res_len == m1_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, ad, 0, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c3, NULL, m3, m3_len, ad, ad_len,
+         crypto_secretstream_xchacha20poly1305_TAG_FINAL);
+    assert(ret == 0);
+    /* pull */
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, &res_len, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == 0);
+    assert(memcmp(m1, m1_, m1_len) == 0);
+    assert(res_len == m1_len);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == 0);
+    assert(memcmp(m2, m2_, m2_len) == 0);
+    if (ad_len > 0) {
+        ret = crypto_secretstream_xchacha20poly1305_pull
+            (state, m3, NULL, &tag,
+             c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+        assert(ret == -1);
+    }
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m3, NULL, &tag,
+         c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, ad, ad_len);
+    assert(ret == 0);
+    assert(tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL);
+    assert(memcmp(m3, m3_, m3_len) == 0);
+    /* previous with FINAL tag */
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m3, NULL, &tag,
+         c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+    /* previous without a tag */
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+    /* short ciphertext */
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag, c2,
+         randombytes_uniform(crypto_secretstream_xchacha20poly1305_ABYTES),
+         NULL, 0);
+    assert(ret == -1);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag, c2, 0, NULL, 0);
+    assert(ret == -1);
+    /* empty ciphertext */
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag, c2,
+         crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+    /* without explicit rekeying */
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, NULL, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, NULL, 0, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, NULL, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    /* with explicit rekeying */
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, NULL, m1, m1_len, NULL, 0, 0);
+    assert(ret == 0);
+    crypto_secretstream_xchacha20poly1305_rekey(state);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, NULL, 0, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, NULL, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == -1);
+    crypto_secretstream_xchacha20poly1305_rekey(state);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    /* New stream */
+    ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c1, &res_len, m1, m1_len, NULL, 0,
+         crypto_secretstream_xchacha20poly1305_TAG_PUSH);
+    assert(ret == 0);
+    assert(res_len == m1_len + crypto_secretstream_xchacha20poly1305_ABYTES);
+    /* Force a counter overflow, check that the key has been updated
+     * even though the tag was not changed to REKEY */
+    memset(state->nonce, 0xff, 4U);
+    state_copy = *state;
+    ret = crypto_secretstream_xchacha20poly1305_push
+        (state, c2, NULL, m2, m2_len, ad, 0, 0);
+    assert(ret == 0);
+    assert(memcmp(state_copy.k, state->k, sizeof state->k) != 0);
+    assert(memcmp(state_copy.nonce, state->nonce, sizeof state->nonce) != 0);
+    assert(state->nonce[0] == 1U);
+    assert(sodium_is_zero(state->nonce + 1, 3U));
+    ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k);
+    assert(ret == 0);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m1, &res_len, &tag,
+         c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == crypto_secretstream_xchacha20poly1305_TAG_PUSH);
+    assert(memcmp(m1, m1_, m1_len) == 0);
+    assert(res_len == m1_len);
+    memset(state->nonce, 0xff, 4U);
+    ret = crypto_secretstream_xchacha20poly1305_pull
+        (state, m2, NULL, &tag,
+         c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0);
+    assert(ret == 0);
+    assert(tag == 0);
+    assert(memcmp(m2, m2_, m2_len) == 0);
+    sodium_free(m3_);
+    sodium_free(m2_);
+    sodium_free(m1_);
+    sodium_free(m3);
+    sodium_free(m2);
+    sodium_free(m1);
+    sodium_free(ad);
+    sodium_free(c3);
+    sodium_free(c2);
+    sodium_free(c1);
+    sodium_free(k);
+    sodium_free(header);
+    sodium_free(state);
+    assert(crypto_secretstream_xchacha20poly1305_abytes() ==
+           crypto_secretstream_xchacha20poly1305_ABYTES);
+    assert(crypto_secretstream_xchacha20poly1305_headerbytes() ==
+           crypto_secretstream_xchacha20poly1305_HEADERBYTES);
+    assert(crypto_secretstream_xchacha20poly1305_keybytes() ==
+           crypto_secretstream_xchacha20poly1305_KEYBYTES);
+    assert(crypto_secretstream_xchacha20poly1305_messagebytes_max() ==
+           crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX);
+    assert(crypto_secretstream_xchacha20poly1305_tag_message() ==
+           crypto_secretstream_xchacha20poly1305_TAG_MESSAGE);
+    assert(crypto_secretstream_xchacha20poly1305_tag_push() ==
+           crypto_secretstream_xchacha20poly1305_TAG_PUSH);
+    assert(crypto_secretstream_xchacha20poly1305_tag_rekey() ==
+           crypto_secretstream_xchacha20poly1305_TAG_REKEY);
+    assert(crypto_secretstream_xchacha20poly1305_tag_final() ==
+           crypto_secretstream_xchacha20poly1305_TAG_FINAL);
+    printf("OK\n");
+    return 0;
+}