Using crypto_secretstream_* API for messages of unknown lengths

[ayende]

It seems to be that there is an unstated limitation for the crypto_secretstream_ API, we must pass the whole output of the *_push function to the *_pull function for it to work, right?

In other words, I have this code:

crypto_secretstream_xchacha20poly1305_push
 (&state, c1, NULL, MESSAGE_PART1, MESSAGE_PART1_LEN, NULL, 0, 0);

if (crypto_secretstream_xchacha20poly1305_pull
    (&state, m1, NULL, &tag, c1, CIPHERTEXT_PART1_LEN, NULL, 0) != 0) {
   /* Invalid/incomplete/corrupted ciphertext - abort */
}

But it wouldn't be possible for me to call the *_pull function with CIPHERTEXT_PART1_LEN/2 twice and get the original data. We must preserve the size as a single unit.

The reason that this matters is that I'm looking at using this over a network protocol, and I need to be able to provide a mechanism to pass the length of the value that I'm writing to the other side in a way that it can read.

Over the wire, that will end up looking like:

[170 bytes] [ encrypted] [ 824 bytes] [encrypted], etc.

Am I understanding things properly? Do I need to worry about leaking the fragment lengths? Do I need to implement some form of padding to avoiding leaking the size of the messages that I'm sending?