Merge pull request #171 from libtom/pr/chacha20poly1305

RFC 7539 - ChaCha20 and Poly1305 + ChaCha20 based PRNG
2017-04-03 21:21:20 +02:00 · 2017-04-03 21:21:20 +02:00 · 5199b54635
commit 5199b54635
parent 6844275e82 2520e6c061
38 changed files with 1933 additions and 73 deletions
--- a/libtomcrypt_VS2008.vcproj
+++ b/libtomcrypt_VS2008.vcproj
@ -591,6 +591,46 @@
 					>
 				</File>
 			</Filter>
 			<Filter
 				Name="chachapoly"
 				>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_add_aad.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_decrypt.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_done.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_encrypt.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_init.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_memory.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_setiv.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_setiv_rfc7905.c"
 					>
 				</File>
 				<File
 					RelativePath="src\encauth\chachapoly\chacha20poly1305_test.c"
 					>
 				</File>
 			</Filter>
 			<Filter
 				Name="eax"
 				>
@ -1147,6 +1187,30 @@
 					>
 				</File>
 			</Filter>
 			<Filter
 				Name="poly1305"
 				>
 				<File
 					RelativePath="src\mac\poly1305\poly1305.c"
 					>
 				</File>
 				<File
 					RelativePath="src\mac\poly1305\poly1305_file.c"
 					>
 				</File>
 				<File
 					RelativePath="src\mac\poly1305\poly1305_memory.c"
 					>
 				</File>
 				<File
 					RelativePath="src\mac\poly1305\poly1305_memory_multi.c"
 					>
 				</File>
 				<File
 					RelativePath="src\mac\poly1305\poly1305_test.c"
 					>
 				</File>
 			</Filter>
 			<Filter
 				Name="xcbc"
 				>
@ -2207,6 +2271,10 @@
 		<Filter
 			Name="prngs"
 			>
 			<File
 				RelativePath="src\prngs\chacha.c"
 				>
 			</File>
 			<File
 				RelativePath="src\prngs\fortuna.c"
 				>
@ -2280,6 +2348,42 @@
 				>
 			</File>
 		</Filter>
 		<Filter
 			Name="stream"
 			>
 			<Filter
 				Name="chacha"
 				>
 				<File
 					RelativePath="src\stream\chacha\chacha_crypt.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_done.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_ivctr32.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_ivctr64.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_keystream.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_setup.c"
 					>
 				</File>
 				<File
 					RelativePath="src\stream\chacha\chacha_test.c"
 					>
 				</File>
 			</Filter>
 		</Filter>
 	</Files>
 	<Globals>
 	</Globals>
--- a/34
+++ b/34
@ -49,15 +49,20 @@ src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/saferp.o src/ciphe
 src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_add_aad.o \
 src/encauth/ccm/ccm_add_nonce.o src/encauth/ccm/ccm_done.o src/encauth/ccm/ccm_init.o \
 src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_process.o src/encauth/ccm/ccm_reset.o \
-src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \
+src/encauth/ccm/ccm_test.o src/encauth/chachapoly/chacha20poly1305_add_aad.o \
-src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \
+src/encauth/chachapoly/chacha20poly1305_decrypt.o src/encauth/chachapoly/chacha20poly1305_done.o \
-src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \
+src/encauth/chachapoly/chacha20poly1305_encrypt.o src/encauth/chachapoly/chacha20poly1305_init.o \
-src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \
+src/encauth/chachapoly/chacha20poly1305_memory.o src/encauth/chachapoly/chacha20poly1305_setiv.o \
-src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.o \
-src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \
+src/encauth/chachapoly/chacha20poly1305_test.o src/encauth/eax/eax_addheader.o \
-src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \
+src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \
-src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
+src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \
-src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
+src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
 src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
 src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
 src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
@ -81,7 +86,9 @@ src/mac/omac/omac_process.o src/mac/omac/omac_test.o src/mac/pelican/pelican.o \
 src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o src/mac/pmac/pmac_done.o \
 src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \
 src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \
-src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \
+src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/poly1305/poly1305.o \
 src/mac/poly1305/poly1305_file.o src/mac/poly1305/poly1305_memory.o \
 src/mac/poly1305/poly1305_memory_multi.o src/mac/poly1305/poly1305_test.o src/mac/xcbc/xcbc_done.o \
 src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \
 src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \
 src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \
@ -173,8 +180,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_en
 src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
 src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_radix.o src/pk/rsa/rsa_import_x509.o \
 src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
-src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \
+src/pk/rsa/rsa_verify_hash.o src/prngs/chacha.o src/prngs/fortuna.o src/prngs/rc4.o \
-src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/makefile.icc
+++ b/makefile.icc
@ -106,15 +106,20 @@ src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/saferp.o src/ciphe
 src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_add_aad.o \
 src/encauth/ccm/ccm_add_nonce.o src/encauth/ccm/ccm_done.o src/encauth/ccm/ccm_init.o \
 src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_process.o src/encauth/ccm/ccm_reset.o \
-src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \
+src/encauth/ccm/ccm_test.o src/encauth/chachapoly/chacha20poly1305_add_aad.o \
-src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \
+src/encauth/chachapoly/chacha20poly1305_decrypt.o src/encauth/chachapoly/chacha20poly1305_done.o \
-src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \
+src/encauth/chachapoly/chacha20poly1305_encrypt.o src/encauth/chachapoly/chacha20poly1305_init.o \
-src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \
+src/encauth/chachapoly/chacha20poly1305_memory.o src/encauth/chachapoly/chacha20poly1305_setiv.o \
-src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.o \
-src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \
+src/encauth/chachapoly/chacha20poly1305_test.o src/encauth/eax/eax_addheader.o \
-src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \
+src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \
-src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
+src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \
-src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
+src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
 src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
 src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
 src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
@ -138,7 +143,9 @@ src/mac/omac/omac_process.o src/mac/omac/omac_test.o src/mac/pelican/pelican.o \
 src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o src/mac/pmac/pmac_done.o \
 src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \
 src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \
-src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \
+src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/poly1305/poly1305.o \
 src/mac/poly1305/poly1305_file.o src/mac/poly1305/poly1305_memory.o \
 src/mac/poly1305/poly1305_memory_multi.o src/mac/poly1305/poly1305_test.o src/mac/xcbc/xcbc_done.o \
 src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \
 src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \
 src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \
@ -230,8 +237,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_en
 src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
 src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_radix.o src/pk/rsa/rsa_import_x509.o \
 src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
-src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \
+src/pk/rsa/rsa_verify_hash.o src/prngs/chacha.o src/prngs/fortuna.o src/prngs/rc4.o \
-src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/makefile.mingw
+++ b/makefile.mingw
@ -42,15 +42,20 @@ src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/saferp.o src/ciphe
 src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_add_aad.o \
 src/encauth/ccm/ccm_add_nonce.o src/encauth/ccm/ccm_done.o src/encauth/ccm/ccm_init.o \
 src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_process.o src/encauth/ccm/ccm_reset.o \
-src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \
+src/encauth/ccm/ccm_test.o src/encauth/chachapoly/chacha20poly1305_add_aad.o \
-src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \
+src/encauth/chachapoly/chacha20poly1305_decrypt.o src/encauth/chachapoly/chacha20poly1305_done.o \
-src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \
+src/encauth/chachapoly/chacha20poly1305_encrypt.o src/encauth/chachapoly/chacha20poly1305_init.o \
-src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \
+src/encauth/chachapoly/chacha20poly1305_memory.o src/encauth/chachapoly/chacha20poly1305_setiv.o \
-src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.o \
-src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \
+src/encauth/chachapoly/chacha20poly1305_test.o src/encauth/eax/eax_addheader.o \
-src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \
+src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \
-src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
+src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \
-src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
+src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
 src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
 src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
 src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
@ -74,7 +79,9 @@ src/mac/omac/omac_process.o src/mac/omac/omac_test.o src/mac/pelican/pelican.o \
 src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o src/mac/pmac/pmac_done.o \
 src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \
 src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \
-src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \
+src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/poly1305/poly1305.o \
 src/mac/poly1305/poly1305_file.o src/mac/poly1305/poly1305_memory.o \
 src/mac/poly1305/poly1305_memory_multi.o src/mac/poly1305/poly1305_test.o src/mac/xcbc/xcbc_done.o \
 src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \
 src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \
 src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \
@ -166,8 +173,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_en
 src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
 src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_radix.o src/pk/rsa/rsa_import_x509.o \
 src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
-src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \
+src/pk/rsa/rsa_verify_hash.o src/prngs/chacha.o src/prngs/fortuna.o src/prngs/rc4.o \
-src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/makefile.msvc
+++ b/makefile.msvc
@ -16,15 +16,20 @@ src/ciphers/rc6.obj src/ciphers/safer/safer.obj src/ciphers/safer/saferp.obj src
 src/ciphers/twofish/twofish.obj src/ciphers/xtea.obj src/encauth/ccm/ccm_add_aad.obj \
 src/encauth/ccm/ccm_add_nonce.obj src/encauth/ccm/ccm_done.obj src/encauth/ccm/ccm_init.obj \
 src/encauth/ccm/ccm_memory.obj src/encauth/ccm/ccm_process.obj src/encauth/ccm/ccm_reset.obj \
-src/encauth/ccm/ccm_test.obj src/encauth/eax/eax_addheader.obj src/encauth/eax/eax_decrypt.obj \
+src/encauth/ccm/ccm_test.obj src/encauth/chachapoly/chacha20poly1305_add_aad.obj \
-src/encauth/eax/eax_decrypt_verify_memory.obj src/encauth/eax/eax_done.obj src/encauth/eax/eax_encrypt.obj \
+src/encauth/chachapoly/chacha20poly1305_decrypt.obj src/encauth/chachapoly/chacha20poly1305_done.obj \
-src/encauth/eax/eax_encrypt_authenticate_memory.obj src/encauth/eax/eax_init.obj \
+src/encauth/chachapoly/chacha20poly1305_encrypt.obj src/encauth/chachapoly/chacha20poly1305_init.obj \
-src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_add_aad.obj src/encauth/gcm/gcm_add_iv.obj \
+src/encauth/chachapoly/chacha20poly1305_memory.obj src/encauth/chachapoly/chacha20poly1305_setiv.obj \
-src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj src/encauth/gcm/gcm_init.obj \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.obj \
-src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj src/encauth/gcm/gcm_process.obj \
+src/encauth/chachapoly/chacha20poly1305_test.obj src/encauth/eax/eax_addheader.obj \
-src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj src/encauth/ocb/ocb_decrypt.obj \
+src/encauth/eax/eax_decrypt.obj src/encauth/eax/eax_decrypt_verify_memory.obj src/encauth/eax/eax_done.obj \
-src/encauth/ocb/ocb_decrypt_verify_memory.obj src/encauth/ocb/ocb_done_decrypt.obj \
+src/encauth/eax/eax_encrypt.obj src/encauth/eax/eax_encrypt_authenticate_memory.obj \
-src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \
+src/encauth/eax/eax_init.obj src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_add_aad.obj \
 src/encauth/gcm/gcm_add_iv.obj src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj \
 src/encauth/gcm/gcm_init.obj src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj \
 src/encauth/gcm/gcm_process.obj src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj \
 src/encauth/ocb/ocb_decrypt.obj src/encauth/ocb/ocb_decrypt_verify_memory.obj \
 src/encauth/ocb/ocb_done_decrypt.obj src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.obj src/encauth/ocb/ocb_init.obj src/encauth/ocb/ocb_ntz.obj \
 src/encauth/ocb/ocb_shift_xor.obj src/encauth/ocb/ocb_test.obj src/encauth/ocb/s_ocb_done.obj \
 src/encauth/ocb3/ocb3_add_aad.obj src/encauth/ocb3/ocb3_decrypt.obj src/encauth/ocb3/ocb3_decrypt_last.obj \
@ -48,7 +53,9 @@ src/mac/omac/omac_process.obj src/mac/omac/omac_test.obj src/mac/pelican/pelican
 src/mac/pelican/pelican_memory.obj src/mac/pelican/pelican_test.obj src/mac/pmac/pmac_done.obj \
 src/mac/pmac/pmac_file.obj src/mac/pmac/pmac_init.obj src/mac/pmac/pmac_memory.obj \
 src/mac/pmac/pmac_memory_multi.obj src/mac/pmac/pmac_ntz.obj src/mac/pmac/pmac_process.obj \
-src/mac/pmac/pmac_shift_xor.obj src/mac/pmac/pmac_test.obj src/mac/xcbc/xcbc_done.obj \
+src/mac/pmac/pmac_shift_xor.obj src/mac/pmac/pmac_test.obj src/mac/poly1305/poly1305.obj \
 src/mac/poly1305/poly1305_file.obj src/mac/poly1305/poly1305_memory.obj \
 src/mac/poly1305/poly1305_memory_multi.obj src/mac/poly1305/poly1305_test.obj src/mac/xcbc/xcbc_done.obj \
 src/mac/xcbc/xcbc_file.obj src/mac/xcbc/xcbc_init.obj src/mac/xcbc/xcbc_memory.obj \
 src/mac/xcbc/xcbc_memory_multi.obj src/mac/xcbc/xcbc_process.obj src/mac/xcbc/xcbc_test.obj \
 src/math/fp/ltc_ecc_fp_mulmod.obj src/math/gmp_desc.obj src/math/ltm_desc.obj src/math/multi.obj \
@ -140,8 +147,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.obj src/pk/rsa/rsa_decrypt_key.obj src/pk/rsa/rs
 src/pk/rsa/rsa_export.obj src/pk/rsa/rsa_exptmod.obj src/pk/rsa/rsa_free.obj src/pk/rsa/rsa_get_size.obj \
 src/pk/rsa/rsa_import.obj src/pk/rsa/rsa_import_radix.obj src/pk/rsa/rsa_import_x509.obj \
 src/pk/rsa/rsa_make_key.obj src/pk/rsa/rsa_sign_hash.obj src/pk/rsa/rsa_sign_saltlen_get.obj \
-src/pk/rsa/rsa_verify_hash.obj src/prngs/fortuna.obj src/prngs/rc4.obj src/prngs/rng_get_bytes.obj \
+src/pk/rsa/rsa_verify_hash.obj src/prngs/chacha.obj src/prngs/fortuna.obj src/prngs/rc4.obj \
-src/prngs/rng_make_prng.obj src/prngs/sober128.obj src/prngs/sprng.obj src/prngs/yarrow.obj
+src/prngs/rng_get_bytes.obj src/prngs/rng_make_prng.obj src/prngs/sober128.obj src/prngs/sprng.obj \
 src/prngs/yarrow.obj src/stream/chacha/chacha_crypt.obj src/stream/chacha/chacha_done.obj \
 src/stream/chacha/chacha_ivctr32.obj src/stream/chacha/chacha_ivctr64.obj \
 src/stream/chacha/chacha_keystream.obj src/stream/chacha/chacha_setup.obj src/stream/chacha/chacha_test.obj
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/makefile.shared
+++ b/makefile.shared
@ -39,15 +39,20 @@ src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/saferp.o src/ciphe
 src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_add_aad.o \
 src/encauth/ccm/ccm_add_nonce.o src/encauth/ccm/ccm_done.o src/encauth/ccm/ccm_init.o \
 src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_process.o src/encauth/ccm/ccm_reset.o \
-src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \
+src/encauth/ccm/ccm_test.o src/encauth/chachapoly/chacha20poly1305_add_aad.o \
-src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \
+src/encauth/chachapoly/chacha20poly1305_decrypt.o src/encauth/chachapoly/chacha20poly1305_done.o \
-src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \
+src/encauth/chachapoly/chacha20poly1305_encrypt.o src/encauth/chachapoly/chacha20poly1305_init.o \
-src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \
+src/encauth/chachapoly/chacha20poly1305_memory.o src/encauth/chachapoly/chacha20poly1305_setiv.o \
-src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.o \
-src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \
+src/encauth/chachapoly/chacha20poly1305_test.o src/encauth/eax/eax_addheader.o \
-src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \
+src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \
-src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
+src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \
-src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
+src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
 src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
 src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
 src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
@ -71,7 +76,9 @@ src/mac/omac/omac_process.o src/mac/omac/omac_test.o src/mac/pelican/pelican.o \
 src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o src/mac/pmac/pmac_done.o \
 src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \
 src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \
-src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \
+src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/poly1305/poly1305.o \
 src/mac/poly1305/poly1305_file.o src/mac/poly1305/poly1305_memory.o \
 src/mac/poly1305/poly1305_memory_multi.o src/mac/poly1305/poly1305_test.o src/mac/xcbc/xcbc_done.o \
 src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \
 src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \
 src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \
@ -163,8 +170,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_en
 src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
 src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_radix.o src/pk/rsa/rsa_import_x509.o \
 src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
-src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \
+src/pk/rsa/rsa_verify_hash.o src/prngs/chacha.o src/prngs/fortuna.o src/prngs/rc4.o \
-src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/makefile.unix
+++ b/makefile.unix
@ -47,15 +47,20 @@ src/ciphers/rc6.o src/ciphers/safer/safer.o src/ciphers/safer/saferp.o src/ciphe
 src/ciphers/twofish/twofish.o src/ciphers/xtea.o src/encauth/ccm/ccm_add_aad.o \
 src/encauth/ccm/ccm_add_nonce.o src/encauth/ccm/ccm_done.o src/encauth/ccm/ccm_init.o \
 src/encauth/ccm/ccm_memory.o src/encauth/ccm/ccm_process.o src/encauth/ccm/ccm_reset.o \
-src/encauth/ccm/ccm_test.o src/encauth/eax/eax_addheader.o src/encauth/eax/eax_decrypt.o \
+src/encauth/ccm/ccm_test.o src/encauth/chachapoly/chacha20poly1305_add_aad.o \
-src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o src/encauth/eax/eax_encrypt.o \
+src/encauth/chachapoly/chacha20poly1305_decrypt.o src/encauth/chachapoly/chacha20poly1305_done.o \
-src/encauth/eax/eax_encrypt_authenticate_memory.o src/encauth/eax/eax_init.o \
+src/encauth/chachapoly/chacha20poly1305_encrypt.o src/encauth/chachapoly/chacha20poly1305_init.o \
-src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o src/encauth/gcm/gcm_add_iv.o \
+src/encauth/chachapoly/chacha20poly1305_memory.o src/encauth/chachapoly/chacha20poly1305_setiv.o \
-src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o src/encauth/gcm/gcm_init.o \
+src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.o \
-src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o src/encauth/gcm/gcm_process.o \
+src/encauth/chachapoly/chacha20poly1305_test.o src/encauth/eax/eax_addheader.o \
-src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o src/encauth/ocb/ocb_decrypt.o \
+src/encauth/eax/eax_decrypt.o src/encauth/eax/eax_decrypt_verify_memory.o src/encauth/eax/eax_done.o \
-src/encauth/ocb/ocb_decrypt_verify_memory.o src/encauth/ocb/ocb_done_decrypt.o \
+src/encauth/eax/eax_encrypt.o src/encauth/eax/eax_encrypt_authenticate_memory.o \
-src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
+src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aad.o \
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
 src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
 src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
 src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
 src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
@ -79,7 +84,9 @@ src/mac/omac/omac_process.o src/mac/omac/omac_test.o src/mac/pelican/pelican.o \
 src/mac/pelican/pelican_memory.o src/mac/pelican/pelican_test.o src/mac/pmac/pmac_done.o \
 src/mac/pmac/pmac_file.o src/mac/pmac/pmac_init.o src/mac/pmac/pmac_memory.o \
 src/mac/pmac/pmac_memory_multi.o src/mac/pmac/pmac_ntz.o src/mac/pmac/pmac_process.o \
-src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/xcbc/xcbc_done.o \
+src/mac/pmac/pmac_shift_xor.o src/mac/pmac/pmac_test.o src/mac/poly1305/poly1305.o \
 src/mac/poly1305/poly1305_file.o src/mac/poly1305/poly1305_memory.o \
 src/mac/poly1305/poly1305_memory_multi.o src/mac/poly1305/poly1305_test.o src/mac/xcbc/xcbc_done.o \
 src/mac/xcbc/xcbc_file.o src/mac/xcbc/xcbc_init.o src/mac/xcbc/xcbc_memory.o \
 src/mac/xcbc/xcbc_memory_multi.o src/mac/xcbc/xcbc_process.o src/mac/xcbc/xcbc_test.o \
 src/math/fp/ltc_ecc_fp_mulmod.o src/math/gmp_desc.o src/math/ltm_desc.o src/math/multi.o \
@ -171,8 +178,11 @@ src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_en
 src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
 src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_radix.o src/pk/rsa/rsa_import_x509.o \
 src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
-src/pk/rsa/rsa_verify_hash.o src/prngs/fortuna.o src/prngs/rc4.o src/prngs/rng_get_bytes.o \
+src/pk/rsa/rsa_verify_hash.o src/prngs/chacha.o src/prngs/fortuna.o src/prngs/rc4.o \
-src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o src/prngs/yarrow.o
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
 src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o
 HEADERS=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \
 src/headers/tomcrypt_cipher.h src/headers/tomcrypt_custom.h src/headers/tomcrypt_hash.h \
--- a/src/encauth/chachapoly/chacha20poly1305_add_aad.c
+++ b/src/encauth/chachapoly/chacha20poly1305_add_aad.c
@ -0,0 +1,34 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
  Add AAD to the ChaCha20Poly1305 state
  @param st     The ChaCha20Poly1305 state
  @param in     The additional authentication data to add to the ChaCha20Poly1305 state
  @param inlen  The length of the ChaCha20Poly1305 data.
  @return CRYPT_OK on success
 */
 int chacha20poly1305_add_aad(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen)
 {
   int err;
   if (inlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(st != NULL);
   if (st->aadflg == 0) return CRYPT_ERROR;
   if ((err = poly1305_process(&st->poly, in, inlen)) != CRYPT_OK) return err;
   st->aadlen += (ulong64)inlen;
   return CRYPT_OK;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_decrypt.c
+++ b/src/encauth/chachapoly/chacha20poly1305_decrypt.c
@ -0,0 +1,45 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
   Decrypt bytes of ciphertext with ChaCha20Poly1305
   @param st      The ChaCha20Poly1305 state
   @param in      The ciphertext
   @param inlen   The length of the input (octets)
   @param out     [out] The plaintext (length inlen)
   @return CRYPT_OK if successful
 */
 int chacha20poly1305_decrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
 {
   unsigned char padzero[16] = { 0 };
   unsigned long padlen;
   int err;
   if (inlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(st != NULL);
   if (st->aadflg) {
      padlen = 16 - (st->aadlen % 16);
      if (padlen < 16) {
        if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
      }
      st->aadflg = 0; /* no more AAD */
   }
   if (st->aadflg) st->aadflg = 0; /* no more AAD */
   if ((err = poly1305_process(&st->poly, in, inlen)) != CRYPT_OK)         return err;
   if ((err = chacha_crypt(&st->chacha, in, inlen, out)) != CRYPT_OK)      return err;
   st->ctlen += (ulong64)inlen;
   return CRYPT_OK;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_done.c
+++ b/src/encauth/chachapoly/chacha20poly1305_done.c
@ -0,0 +1,42 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
  Terminate a ChaCha20Poly1305 stream
  @param st      The ChaCha20Poly1305 state
  @param tag     [out] The destination for the MAC tag
  @param taglen  [in/out]  The length of the MAC tag
  @return CRYPT_OK on success
 */
 int chacha20poly1305_done(chacha20poly1305_state *st, unsigned char *tag, unsigned long *taglen)
 {
   unsigned char padzero[16] = { 0 };
   unsigned long padlen;
   unsigned char buf[16];
   int err;
   LTC_ARGCHK(st != NULL);
   padlen = 16 - (st->ctlen % 16);
   if (padlen < 16) {
     if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
   }
   STORE64L(st->aadlen, buf);
   STORE64L(st->ctlen, buf + 8);
   if ((err = poly1305_process(&st->poly, buf, 16)) != CRYPT_OK)           return err;
   if ((err = poly1305_done(&st->poly, tag, taglen)) != CRYPT_OK)          return err;
   if ((err = chacha_done(&st->chacha)) != CRYPT_OK)                       return err;
   return CRYPT_OK;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_encrypt.c
+++ b/src/encauth/chachapoly/chacha20poly1305_encrypt.c
@ -0,0 +1,44 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
   Encrypt bytes of ciphertext with ChaCha20Poly1305
   @param st      The ChaCha20Poly1305 state
   @param in      The plaintext
   @param inlen   The length of the input (octets)
   @param out     [out] The ciphertext (length inlen)
   @return CRYPT_OK if successful
 */
 int chacha20poly1305_encrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
 {
   unsigned char padzero[16] = { 0 };
   unsigned long padlen;
   int err;
   if (inlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(st != NULL);
   if ((err = chacha_crypt(&st->chacha, in, inlen, out)) != CRYPT_OK)         return err;
   if (st->aadflg) {
      padlen = 16 - (st->aadlen % 16);
      if (padlen < 16) {
        if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
      }
      st->aadflg = 0; /* no more AAD */
   }
   if ((err = poly1305_process(&st->poly, out, inlen)) != CRYPT_OK)           return err;
   st->ctlen += (ulong64)inlen;
   return CRYPT_OK;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_init.c
+++ b/src/encauth/chachapoly/chacha20poly1305_init.c
@ -0,0 +1,26 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
   Initialize an ChaCha20Poly1305 context (only the key)
   @param st        [out] The destination of the ChaCha20Poly1305 state
   @param key       The secret key
   @param keylen    The length of the secret key (octets)
   @return CRYPT_OK if successful
 */
 int chacha20poly1305_init(chacha20poly1305_state *st, const unsigned char *key, unsigned long keylen)
 {
   return chacha_setup(&st->chacha, key, keylen, 20);
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_memory.c
+++ b/src/encauth/chachapoly/chacha20poly1305_memory.c
@ -0,0 +1,70 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
  Process an entire GCM packet in one call.
  @param key               The secret key
  @param keylen            The length of the secret key
  @param iv                The initial vector
  @param ivlen             The length of the initial vector
  @param aad               The additional authentication data (header)
  @param aadlen            The length of the aad
  @param in                The plaintext
  @param inlen             The length of the plaintext (ciphertext length is the same)
  @param out               The ciphertext
  @param tag               [out] The MAC tag
  @param taglen            [in/out] The MAC tag length
  @param direction         Encrypt or Decrypt mode (CHCHA20POLY1305_ENCRYPT or CHCHA20POLY1305_DECRYPT)
  @return CRYPT_OK on success
 */
 int chacha20poly1305_memory(const unsigned char *key, unsigned long keylen,
                            const unsigned char *iv,  unsigned long ivlen,
                            const unsigned char *aad, unsigned long aadlen,
                            const unsigned char *in,  unsigned long inlen,
                                  unsigned char *out,
                                  unsigned char *tag, unsigned long *taglen,
                            int direction)
 {
   chacha20poly1305_state st;
   int err;
   LTC_ARGCHK(key != NULL);
   LTC_ARGCHK(iv  != NULL);
   LTC_ARGCHK(in  != NULL);
   LTC_ARGCHK(out != NULL);
   LTC_ARGCHK(tag != NULL);
   if ((err = chacha20poly1305_init(&st, key, keylen)) != CRYPT_OK)          { goto LBL_ERR; }
   if ((err = chacha20poly1305_setiv(&st, iv, ivlen)) != CRYPT_OK)           { goto LBL_ERR; }
   if (aad && aadlen > 0) {
      if ((err = chacha20poly1305_add_aad(&st, aad, aadlen)) != CRYPT_OK)    { goto LBL_ERR; }
   }
   if (direction == CHCHA20POLY1305_ENCRYPT) {
      if ((err = chacha20poly1305_encrypt(&st, in, inlen, out)) != CRYPT_OK) { goto LBL_ERR; }
   }
   else if (direction == CHCHA20POLY1305_DECRYPT) {
      if ((err = chacha20poly1305_decrypt(&st, in, inlen, out)) != CRYPT_OK) { goto LBL_ERR; }
   }
   else {
      err = CRYPT_INVALID_ARG;
      goto LBL_ERR;
   }
   err = chacha20poly1305_done(&st, tag, taglen);
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
   zeromem(&st, sizeof(chacha20poly1305_state));
 #endif
   return err;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_setiv.c
+++ b/src/encauth/chachapoly/chacha20poly1305_setiv.c
@ -0,0 +1,64 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
  Set IV + counter data to the ChaCha20Poly1305 state and reset the context
  @param st     The ChaCha20Poly1305 state
  @param iv     The IV data to add
  @param inlen  The length of the IV (must be 12 or 8)
  @return CRYPT_OK on success
 */
 int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen)
 {
   chacha_state tmp_st;
   int i, err;
   unsigned char polykey[32];
   LTC_ARGCHK(st != NULL);
   LTC_ARGCHK(iv != NULL);
   LTC_ARGCHK(ivlen == 12 || ivlen == 8);
   /* set IV for chacha20 */
   if (ivlen == 12) {
      /* IV 96bit */
      if ((err = chacha_ivctr32(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
   }
   else {
      /* IV 64bit */
      if ((err = chacha_ivctr64(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
   }
   /* copy chacha20 key to temporary state */
   for(i = 0; i < 12; i++) tmp_st.input[i] = st->chacha.input[i];
   tmp_st.rounds = 20;
   /* set IV */
   if (ivlen == 12) {
      /* IV 32bit */
      if ((err = chacha_ivctr32(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
   }
   else {
      /* IV 64bit */
      if ((err = chacha_ivctr64(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
   }
   /* (re)generate new poly1305 key */
   if ((err = chacha_keystream(&tmp_st, polykey, 32)) != CRYPT_OK) return err;
   /* (re)initialise poly1305 */
   if ((err = poly1305_init(&st->poly, polykey, 32)) != CRYPT_OK) return err;
   st->ctlen  = 0;
   st->aadlen = 0;
   st->aadflg = 1;
   return CRYPT_OK;
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c
+++ b/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c
@ -0,0 +1,36 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 /**
  Set IV + counter data (with RFC7905-magic) to the ChaCha20Poly1305 state and reset the context
  @param st     The ChaCha20Poly1305 state
  @param iv     The IV data to add
  @param inlen  The length of the IV (must be 12 or 8)
  @param sequence_number   64bit sequence number which is incorporated into IV as described in RFC7905
  @return CRYPT_OK on success
 */
 int chacha20poly1305_setiv_rfc7905(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen, ulong64 sequence_number)
 {
   int i;
   unsigned char combined_iv[12] = { 0 };
   LTC_ARGCHK(st != NULL);
   LTC_ARGCHK(iv != NULL);
   LTC_ARGCHK(ivlen == 12);
   STORE64L(sequence_number, combined_iv + 4);
   for (i = 0; i < 12; i++) combined_iv[i] = iv[i] ^ combined_iv[i];
   return chacha20poly1305_setiv(st, combined_iv, 12);
 }
 #endif
--- a/src/encauth/chachapoly/chacha20poly1305_test.c
+++ b/src/encauth/chachapoly/chacha20poly1305_test.c
@ -0,0 +1,109 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20POLY1305_MODE
 int chacha20poly1305_test(void)
 {
 #ifndef LTC_TEST
   return CRYPT_NOP;
 #else
   chacha20poly1305_state st1, st2;
   unsigned char k[]   = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f };
   unsigned char iv[]  = { 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 };
   unsigned char aad[] = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 };
   unsigned char enc[] = { 0xD3, 0x1A, 0x8D, 0x34, 0x64, 0x8E, 0x60, 0xDB, 0x7B, 0x86, 0xAF, 0xBC, 0x53, 0xEF, 0x7E, 0xC2,
                           0xA4, 0xAD, 0xED, 0x51, 0x29, 0x6E, 0x08, 0xFE, 0xA9, 0xE2, 0xB5, 0xA7, 0x36, 0xEE, 0x62, 0xD6,
                           0x3D, 0xBE, 0xA4, 0x5E, 0x8C, 0xA9, 0x67, 0x12, 0x82, 0xFA, 0xFB, 0x69, 0xDA, 0x92, 0x72, 0x8B,
                           0x1A, 0x71, 0xDE, 0x0A, 0x9E, 0x06, 0x0B, 0x29, 0x05, 0xD6, 0xA5, 0xB6, 0x7E, 0xCD, 0x3B, 0x36,
                           0x92, 0xDD, 0xBD, 0x7F, 0x2D, 0x77, 0x8B, 0x8C, 0x98, 0x03, 0xAE, 0xE3, 0x28, 0x09, 0x1B, 0x58,
                           0xFA, 0xB3, 0x24, 0xE4, 0xFA, 0xD6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8B, 0x48, 0x31, 0xD7, 0xBC,
                           0x3F, 0xF4, 0xDE, 0xF0, 0x8E, 0x4B, 0x7A, 0x9D, 0xE5, 0x76, 0xD2, 0x65, 0x86, 0xCE, 0xC6, 0x4B,
                           0x61, 0x16 };
   unsigned char tag[] = { 0x1A, 0xE1, 0x0B, 0x59, 0x4F, 0x09, 0xE2, 0x6A, 0x7E, 0x90, 0x2E, 0xCB, 0xD0, 0x60, 0x06, 0x91 };
   char m[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.";
   unsigned long mlen = strlen(m);
   unsigned long len;
   unsigned char rfc7905_pt[]  = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };
   unsigned char rfc7905_enc[] = { 0xE4, 0x62, 0x85, 0xB4, 0x29, 0x95, 0x34, 0x96, 0xAB, 0xFB, 0x67, 0xCD, 0xAE, 0xAC, 0x94, 0x1E };
   unsigned char rfc7905_tag[] = { 0x16, 0x2C, 0x92, 0x48, 0x2A, 0xDB, 0xD3, 0x5D, 0x48, 0xBE, 0xC6, 0xFF, 0x10, 0x9C, 0xBA, 0xE4 };
   unsigned char ct[1000], pt[1000], emac[16], dmac[16];
   /* encrypt */
   chacha20poly1305_init(&st1, k, sizeof(k));
   chacha20poly1305_setiv(&st1, iv, sizeof(iv));
   chacha20poly1305_add_aad(&st1, aad, sizeof(aad));
   /* encrypt piece by piece */
   chacha20poly1305_encrypt(&st1, (unsigned char *)m,      25,        ct);
   chacha20poly1305_encrypt(&st1, (unsigned char *)m + 25, 10,        ct + 25);
   chacha20poly1305_encrypt(&st1, (unsigned char *)m + 35, 35,        ct + 35);
   chacha20poly1305_encrypt(&st1, (unsigned char *)m + 70, 5,         ct + 70);
   chacha20poly1305_encrypt(&st1, (unsigned char *)m + 75, 5,         ct + 75);
   chacha20poly1305_encrypt(&st1, (unsigned char *)m + 80, mlen - 80, ct + 80);
   len = sizeof(emac);
   chacha20poly1305_done(&st1, emac, &len);
   if (compare_testvector(ct, mlen, enc, sizeof(enc), "ENC-CT", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(emac, len, tag, sizeof(tag), "ENC-TAG", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* decrypt */
   chacha20poly1305_init(&st2, k, len = sizeof(k));
   chacha20poly1305_setiv(&st2, iv, len = sizeof(iv));
   chacha20poly1305_add_aad(&st2, aad, len = sizeof(aad));
   chacha20poly1305_decrypt(&st2, ct,      21,        pt);
   chacha20poly1305_decrypt(&st2, ct + 21, mlen - 21, pt + 21);
   len = sizeof(dmac);
   chacha20poly1305_done(&st2, dmac, &len);
   if (compare_testvector(pt, mlen, m, mlen, "DEC-PT", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(dmac, len, tag, sizeof(tag), "DEC-TAG", 4) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* chacha20poly1305_memory - encrypt */
   len = sizeof(emac);
   chacha20poly1305_memory(k, sizeof(k), iv, sizeof(iv), aad, sizeof(aad),
                           (unsigned char *)m, mlen, ct, emac, &len, CHCHA20POLY1305_ENCRYPT);
   if (compare_testvector(ct, mlen, enc, sizeof(enc), "ENC-CT2", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(emac, len, tag, sizeof(tag), "ENC-TAG2", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* chacha20poly1305_memory - decrypt */
   len = sizeof(dmac);
   chacha20poly1305_memory(k, sizeof(k), iv, sizeof(iv), aad, sizeof(aad),
                           ct, mlen, pt, dmac, &len, CHCHA20POLY1305_DECRYPT);
   if (compare_testvector(pt, mlen, m, mlen, "DEC-PT2", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(dmac, len, tag, sizeof(tag), "DEC-TAG2", 4) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* encrypt - rfc7905 */
   chacha20poly1305_init(&st1, k, sizeof(k));
   chacha20poly1305_setiv_rfc7905(&st1, iv, sizeof(iv), CONST64(0x1122334455667788));
   chacha20poly1305_add_aad(&st1, aad, sizeof(aad));
   chacha20poly1305_encrypt(&st1, rfc7905_pt, 16, ct);
   len = sizeof(emac);
   chacha20poly1305_done(&st1, emac, &len);
   if (compare_testvector(ct, 16, rfc7905_enc, 16, "ENC-CT3", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(emac, len, rfc7905_tag, 16, "ENC-TAG3", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* decrypt - rfc7905 */
   chacha20poly1305_init(&st1, k, sizeof(k));
   chacha20poly1305_setiv_rfc7905(&st1, iv, sizeof(iv), CONST64(0x1122334455667788));
   chacha20poly1305_add_aad(&st1, aad, sizeof(aad));
   chacha20poly1305_decrypt(&st1, ct, 16, pt);
   len = sizeof(dmac);
   chacha20poly1305_done(&st1, dmac, &len);
   if (compare_testvector(pt, 16, rfc7905_pt, 16, "DEC-CT3", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   if (compare_testvector(dmac, len, rfc7905_tag, 16, "DEC-TAG3", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
   return CRYPT_OK;
 #endif
 };
 #endif
--- a/src/headers/tomcrypt_cipher.h
+++ b/src/headers/tomcrypt_cipher.h
@ -937,6 +937,28 @@ int cipher_is_valid(int idx);
 LTC_MUTEX_PROTO(ltc_cipher_mutex)
 /* ---- stream ciphers ---- */
 #ifdef LTC_CHACHA
 typedef struct {
   ulong32 input[16];
   unsigned char kstream[64];
   unsigned long ksleft;
   unsigned long ivlen;
   int rounds;
 } chacha_state;
 int chacha_setup(chacha_state *st, const unsigned char *key, unsigned long keylen, int rounds);
 int chacha_ivctr32(chacha_state *st, const unsigned char *iv, unsigned long ivlen, ulong32 counter);
 int chacha_ivctr64(chacha_state *st, const unsigned char *iv, unsigned long ivlen, ulong64 counter);
 int chacha_crypt(chacha_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out);
 int chacha_keystream(chacha_state *st, unsigned char *out, unsigned long outlen);
 int chacha_done(chacha_state *st);
 int chacha_test(void);
 #endif /* LTC_CHACHA */
 /* $Source$ */
 /* $Revision$ */
 /* $Date$ */
--- a/src/headers/tomcrypt_custom.h
+++ b/src/headers/tomcrypt_custom.h
@ -189,6 +189,8 @@
 #define LTC_KASUMI
 #define LTC_MULTI2
 #define LTC_CAMELLIA
 /* ChaCha is special (a stream cipher) */
 #define LTC_CHACHA
 #endif /* LTC_NO_CIPHERS */
@ -255,6 +257,7 @@
 #define LTC_XCBC
 #define LTC_F9_MODE
 #define LTC_PELICAN
 #define LTC_POLY1305
 /* ---> Encrypt + Authenticate Modes <--- */
@ -264,6 +267,7 @@
 #define LTC_OCB3_MODE
 #define LTC_CCM_MODE
 #define LTC_GCM_MODE
 #define LTC_CHACHA20POLY1305_MODE
 /* Use 64KiB tables */
 #ifndef LTC_NO_TABLES
@ -290,6 +294,9 @@
 /* The LTC_RC4 stream cipher */
 #define LTC_RC4
 /* The ChaCha20 stream cipher based PRNG */
 #define LTC_CHACHA20_PRNG
 /* Fortuna PRNG */
 #define LTC_FORTUNA
@ -504,6 +511,14 @@
   #error PK requires ASN.1 DER functionality, make sure LTC_DER is enabled
 #endif
 #if defined(LTC_CHACHA20POLY1305_MODE) && (!defined(LTC_CHACHA) || !defined(LTC_POLY1305))
   #error LTC_CHACHA20POLY1305_MODE requires LTC_CHACHA + LTC_POLY1305
 #endif
 #if defined(LTC_CHACHA20_PRNG) && !defined(LTC_CHACHA)
   #error LTC_CHACHA20_PRNG requires LTC_CHACHA
 #endif
 /* THREAD management */
 #ifdef LTC_PTHREAD
@ -535,7 +550,12 @@
 #endif
-
+#ifndef LTC_NO_FILE
   /* buffer size for reading from a file via fread(..) */
   #ifndef LTC_FILE_READ_BUFSIZE
   #define LTC_FILE_READ_BUFSIZE 8192
   #endif
 #endif
 /* $Source$ */
 /* $Revision$ */
--- a/src/headers/tomcrypt_mac.h
+++ b/src/headers/tomcrypt_mac.h
@ -96,6 +96,26 @@ void pmac_shift_xor(pmac_state *pmac);
 #endif /* PMAC */
 #ifdef LTC_POLY1305
 typedef struct {
   ulong32 r[5];
   ulong32 h[5];
   ulong32 pad[4];
   unsigned long leftover;
   unsigned char buffer[16];
   int final;
 } poly1305_state;
 int poly1305_init(poly1305_state *st, const unsigned char *key, unsigned long keylen);
 int poly1305_process(poly1305_state *st, const unsigned char *in, unsigned long inlen);
 int poly1305_done(poly1305_state *st, unsigned char *mac, unsigned long *maclen);
 int poly1305_test(void);
 int poly1305_memory(const unsigned char *key, unsigned long keylen, const unsigned char *in, unsigned long inlen, unsigned char *mac, unsigned long *maclen);
 int poly1305_memory_multi(const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen, const unsigned char *in,  unsigned long inlen, ...);
 int poly1305_file(const char *fname, const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen);
 int poly1305_test(void);
 #endif /* LTC_POLY1305 */
 #ifdef LTC_EAX_MODE
 #if !(defined(LTC_OMAC) && defined(LTC_CTR_MODE))
@ -477,6 +497,36 @@ int f9_test(void);
 #endif
 #ifdef LTC_CHACHA20POLY1305_MODE
 typedef struct {
   poly1305_state poly;
   chacha_state chacha;
   ulong64 aadlen;
   ulong64 ctlen;
   int aadflg;
 } chacha20poly1305_state;
 #define CHCHA20POLY1305_ENCRYPT 0
 #define CHCHA20POLY1305_DECRYPT 1
 int chacha20poly1305_init(chacha20poly1305_state *st, const unsigned char *key, unsigned long keylen);
 int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen);
 int chacha20poly1305_setiv_rfc7905(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen, ulong64 sequence_number);
 int chacha20poly1305_add_aad(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen);
 int chacha20poly1305_encrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out);
 int chacha20poly1305_decrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out);
 int chacha20poly1305_done(chacha20poly1305_state *st, unsigned char *tag, unsigned long *taglen);
 int chacha20poly1305_memory(const unsigned char *key, unsigned long keylen,
                            const unsigned char *iv,  unsigned long ivlen,
                            const unsigned char *aad, unsigned long aadlen,
                            const unsigned char *in,  unsigned long inlen,
                                  unsigned char *out,
                                  unsigned char *tag, unsigned long *taglen,
                            int direction);
 int chacha20poly1305_test(void);
 #endif /* LTC_CHACHA20POLY1305_MODE */
 /* $Source$ */
 /* $Revision$ */
--- a/src/headers/tomcrypt_prng.h
+++ b/src/headers/tomcrypt_prng.h
@ -15,6 +15,15 @@ struct rc4_prng {
 };
 #endif
 #ifdef LTC_CHACHA20_PRNG
 struct chacha20_prng {
    chacha_state s;        /* chacha state */
    unsigned char ent[40]; /* entropy buffer */
    unsigned long idx;     /* entropy counter */
    short ready;           /* ready flag 0-1 */
 };
 #endif
 #ifdef LTC_FORTUNA
 struct fortuna_prng {
    hash_state pool[LTC_FORTUNA_POOLS];     /* the  pools */
@ -55,6 +64,9 @@ typedef union Prng_state {
 #ifdef LTC_RC4
    struct rc4_prng       rc4;
 #endif
 #ifdef LTC_CHACHA20_PRNG
    struct chacha20_prng  chacha;
 #endif
 #ifdef LTC_FORTUNA
    struct fortuna_prng   fortuna;
 #endif
@ -154,6 +166,18 @@ int  rc4_test(void);
 extern const struct ltc_prng_descriptor rc4_desc;
 #endif
 #ifdef LTC_CHACHA20_PRNG
 int chacha_prng_start(prng_state *prng);
 int chacha_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng);
 int chacha_prng_ready(prng_state *prng);
 unsigned long chacha_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng);
 int  chacha_prng_done(prng_state *prng);
 int  chacha_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng);
 int  chacha_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng);
 int  chacha_prng_test(void);
 extern const struct ltc_prng_descriptor chacha20_prng_desc;
 #endif
 #ifdef LTC_SPRNG
 int sprng_start(prng_state *prng);
 int sprng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng);
--- a/src/mac/poly1305/poly1305.c
+++ b/src/mac/poly1305/poly1305.c
@ -0,0 +1,264 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * Public Domain poly1305 from Andrew Moon
 * https://github.com/floodyberry/poly1305-donna
 */
 #include "tomcrypt.h"
 #ifdef LTC_POLY1305
 /* internal only */
 static void _poly1305_block(poly1305_state *st, const unsigned char *in, unsigned long inlen)
 {
   const unsigned long hibit = (st->final) ? 0 : (1UL << 24); /* 1 << 128 */
   ulong32 r0,r1,r2,r3,r4;
   ulong32 s1,s2,s3,s4;
   ulong32 h0,h1,h2,h3,h4;
   ulong32 tmp;
   ulong64 d0,d1,d2,d3,d4;
   ulong32 c;
   r0 = st->r[0];
   r1 = st->r[1];
   r2 = st->r[2];
   r3 = st->r[3];
   r4 = st->r[4];
   s1 = r1 * 5;
   s2 = r2 * 5;
   s3 = r3 * 5;
   s4 = r4 * 5;
   h0 = st->h[0];
   h1 = st->h[1];
   h2 = st->h[2];
   h3 = st->h[3];
   h4 = st->h[4];
   while (inlen >= 16) {
      /* h += in[i] */
      LOAD32L(tmp, in+ 0); h0 += (tmp     ) & 0x3ffffff;
      LOAD32L(tmp, in+ 3); h1 += (tmp >> 2) & 0x3ffffff;
      LOAD32L(tmp, in+ 6); h2 += (tmp >> 4) & 0x3ffffff;
      LOAD32L(tmp, in+ 9); h3 += (tmp >> 6) & 0x3ffffff;
      LOAD32L(tmp, in+12); h4 += (tmp >> 8) | hibit;
      /* h *= r */
      d0 = ((ulong64)h0 * r0) + ((ulong64)h1 * s4) + ((ulong64)h2 * s3) + ((ulong64)h3 * s2) + ((ulong64)h4 * s1);
      d1 = ((ulong64)h0 * r1) + ((ulong64)h1 * r0) + ((ulong64)h2 * s4) + ((ulong64)h3 * s3) + ((ulong64)h4 * s2);
      d2 = ((ulong64)h0 * r2) + ((ulong64)h1 * r1) + ((ulong64)h2 * r0) + ((ulong64)h3 * s4) + ((ulong64)h4 * s3);
      d3 = ((ulong64)h0 * r3) + ((ulong64)h1 * r2) + ((ulong64)h2 * r1) + ((ulong64)h3 * r0) + ((ulong64)h4 * s4);
      d4 = ((ulong64)h0 * r4) + ((ulong64)h1 * r3) + ((ulong64)h2 * r2) + ((ulong64)h3 * r1) + ((ulong64)h4 * r0);
      /* (partial) h %= p */
                    c = (ulong32)(d0 >> 26); h0 = (ulong32)d0 & 0x3ffffff;
      d1 += c;      c = (ulong32)(d1 >> 26); h1 = (ulong32)d1 & 0x3ffffff;
      d2 += c;      c = (ulong32)(d2 >> 26); h2 = (ulong32)d2 & 0x3ffffff;
      d3 += c;      c = (ulong32)(d3 >> 26); h3 = (ulong32)d3 & 0x3ffffff;
      d4 += c;      c = (ulong32)(d4 >> 26); h4 = (ulong32)d4 & 0x3ffffff;
      h0 += c * 5;  c =          (h0 >> 26); h0 =          h0 & 0x3ffffff;
      h1 += c;
      in += 16;
      inlen -= 16;
   }
   st->h[0] = h0;
   st->h[1] = h1;
   st->h[2] = h2;
   st->h[3] = h3;
   st->h[4] = h4;
 }
 /**
   Initialize an POLY1305 context.
   @param st       The POLY1305 state
   @param key      The secret key
   @param keylen   The length of the secret key (octets)
   @return CRYPT_OK if successful
 */
 int poly1305_init(poly1305_state *st, const unsigned char *key, unsigned long keylen)
 {
   LTC_ARGCHK(st  != NULL);
   LTC_ARGCHK(key != NULL);
   LTC_ARGCHK(keylen == 32);
   /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
   LOAD32L(st->r[0], key +  0); st->r[0] = (st->r[0]     ) & 0x3ffffff;
   LOAD32L(st->r[1], key +  3); st->r[1] = (st->r[1] >> 2) & 0x3ffff03;
   LOAD32L(st->r[2], key +  6); st->r[2] = (st->r[2] >> 4) & 0x3ffc0ff;
   LOAD32L(st->r[3], key +  9); st->r[3] = (st->r[3] >> 6) & 0x3f03fff;
   LOAD32L(st->r[4], key + 12); st->r[4] = (st->r[4] >> 8) & 0x00fffff;
   /* h = 0 */
   st->h[0] = 0;
   st->h[1] = 0;
   st->h[2] = 0;
   st->h[3] = 0;
   st->h[4] = 0;
   /* save pad for later */
   LOAD32L(st->pad[0], key + 16);
   LOAD32L(st->pad[1], key + 20);
   LOAD32L(st->pad[2], key + 24);
   LOAD32L(st->pad[3], key + 28);
   st->leftover = 0;
   st->final = 0;
   return CRYPT_OK;
 }
 /**
  Process data through POLY1305
  @param st      The POLY1305 state
  @param in      The data to send through HMAC
  @param inlen   The length of the data to HMAC (octets)
  @return CRYPT_OK if successful
 */
 int poly1305_process(poly1305_state *st, const unsigned char *in, unsigned long inlen)
 {
   unsigned long i;
   if (inlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(st != NULL);
   LTC_ARGCHK(in != NULL);
   /* handle leftover */
   if (st->leftover) {
      unsigned long want = (16 - st->leftover);
      if (want > inlen) want = inlen;
      for (i = 0; i < want; i++) st->buffer[st->leftover + i] = in[i];
      inlen -= want;
      in += want;
      st->leftover += want;
      if (st->leftover < 16) return CRYPT_OK;
      _poly1305_block(st, st->buffer, 16);
      st->leftover = 0;
   }
   /* process full blocks */
   if (inlen >= 16) {
      unsigned long want = (inlen & ~(16 - 1));
      _poly1305_block(st, in, want);
      in += want;
      inlen -= want;
   }
   /* store leftover */
   if (inlen) {
      for (i = 0; i < inlen; i++) st->buffer[st->leftover + i] = in[i];
      st->leftover += inlen;
   }
   return CRYPT_OK;
 }
 /**
   Terminate a POLY1305 session
   @param st      The POLY1305 state
   @param out     [out] The destination of the POLY1305 authentication tag
   @param outlen  [in/out]  The max size and resulting size of the POLY1305 authentication tag
   @return CRYPT_OK if successful
 */
 int poly1305_done(poly1305_state *st, unsigned char *mac, unsigned long *maclen)
 {
   ulong32 h0,h1,h2,h3,h4,c;
   ulong32 g0,g1,g2,g3,g4;
   ulong64 f;
   ulong32 mask;
   LTC_ARGCHK(st     != NULL);
   LTC_ARGCHK(mac    != NULL);
   LTC_ARGCHK(maclen != NULL);
   LTC_ARGCHK(*maclen >= 16);
   /* process the remaining block */
   if (st->leftover) {
      unsigned long i = st->leftover;
      st->buffer[i++] = 1;
      for (; i < 16; i++) st->buffer[i] = 0;
      st->final = 1;
      _poly1305_block(st, st->buffer, 16);
   }
   /* fully carry h */
   h0 = st->h[0];
   h1 = st->h[1];
   h2 = st->h[2];
   h3 = st->h[3];
   h4 = st->h[4];
                c = h1 >> 26; h1 = h1 & 0x3ffffff;
   h2 +=     c; c = h2 >> 26; h2 = h2 & 0x3ffffff;
   h3 +=     c; c = h3 >> 26; h3 = h3 & 0x3ffffff;
   h4 +=     c; c = h4 >> 26; h4 = h4 & 0x3ffffff;
   h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff;
   h1 +=     c;
   /* compute h + -p */
   g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff;
   g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff;
   g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff;
   g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff;
   g4 = h4 + c - (1UL << 26);
   /* select h if h < p, or h + -p if h >= p */
   mask = (g4 >> 31) - 1;
   g0 &= mask;
   g1 &= mask;
   g2 &= mask;
   g3 &= mask;
   g4 &= mask;
   mask = ~mask;
   h0 = (h0 & mask) | g0;
   h1 = (h1 & mask) | g1;
   h2 = (h2 & mask) | g2;
   h3 = (h3 & mask) | g3;
   h4 = (h4 & mask) | g4;
   /* h = h % (2^128) */
   h0 = ((h0      ) | (h1 << 26)) & 0xffffffff;
   h1 = ((h1 >>  6) | (h2 << 20)) & 0xffffffff;
   h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
   h3 = ((h3 >> 18) | (h4 <<  8)) & 0xffffffff;
   /* mac = (h + pad) % (2^128) */
   f = (ulong64)h0 + st->pad[0]            ; h0 = (ulong32)f;
   f = (ulong64)h1 + st->pad[1] + (f >> 32); h1 = (ulong32)f;
   f = (ulong64)h2 + st->pad[2] + (f >> 32); h2 = (ulong32)f;
   f = (ulong64)h3 + st->pad[3] + (f >> 32); h3 = (ulong32)f;
   STORE32L(h0, mac +  0);
   STORE32L(h1, mac +  4);
   STORE32L(h2, mac +  8);
   STORE32L(h3, mac + 12);
   /* zero out the state */
   st->h[0] = 0;
   st->h[1] = 0;
   st->h[2] = 0;
   st->h[3] = 0;
   st->h[4] = 0;
   st->r[0] = 0;
   st->r[1] = 0;
   st->r[2] = 0;
   st->r[3] = 0;
   st->r[4] = 0;
   st->pad[0] = 0;
   st->pad[1] = 0;
   st->pad[2] = 0;
   st->pad[3] = 0;
   *maclen = 16;
   return CRYPT_OK;
 }
 #endif
--- a/src/mac/poly1305/poly1305_file.c
+++ b/src/mac/poly1305/poly1305_file.c
@ -0,0 +1,70 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * Public Domain poly1305 from Andrew Moon
 * https://github.com/floodyberry/poly1305-donna
 */
 #include "tomcrypt.h"
 #ifdef LTC_POLY1305
 /**
  POLY1305 a file
  @param fname    The name of the file you wish to POLY1305
  @param key      The secret key
  @param keylen   The length of the secret key
  @param out      [out] The POLY1305 authentication tag
  @param outlen   [in/out]  The max size and resulting size of the authentication tag
  @return CRYPT_OK if successful, CRYPT_NOP if file support has been disabled
 */
 int poly1305_file(const char *fname, const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen)
 {
 #ifdef LTC_NO_FILE
   return CRYPT_NOP;
 #else
   poly1305_state st;
   FILE *in;
   unsigned char *buf;
   size_t x;
   int err;
   LTC_ARGCHK(fname  != NULL);
   LTC_ARGCHK(key    != NULL);
   LTC_ARGCHK(mac    != NULL);
   LTC_ARGCHK(maclen != NULL);
   if ((in = fopen(fname, "rb")) == NULL)                   { return CRYPT_FILE_NOTFOUND; }
   if ((buf = XMALLOC(LTC_FILE_READ_BUFSIZE)) == NULL)      { return CRYPT_MEM; }
   if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK) { goto LBL_ERR; }
   do {
      x = fread(buf, 1, LTC_FILE_READ_BUFSIZE, in);
      if ((err = poly1305_process(&st, buf, (unsigned long)x)) != CRYPT_OK) {
         fclose(in);
         goto LBL_ERR;
      }
   } while (x == LTC_FILE_READ_BUFSIZE);
   if (fclose(in) != 0)  {
      err = CRYPT_ERROR;
      goto LBL_ERR;
   }
   err = poly1305_done(&st, mac, maclen);
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
   zeromem(&st, sizeof(poly1305_state));
 #endif
   XFREE(buf);
   return err;
 #endif
 };
 #endif
--- a/src/mac/poly1305/poly1305_memory.c
+++ b/src/mac/poly1305/poly1305_memory.c
@ -0,0 +1,49 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * Public Domain poly1305 from Andrew Moon
 * https://github.com/floodyberry/poly1305-donna
 */
 #include "tomcrypt.h"
 #ifdef LTC_POLY1305
 /**
   POLY1305 a block of memory to produce the authentication tag
   @param key       The secret key
   @param keylen    The length of the secret key (octets)
   @param in        The data to POLY1305
   @param inlen     The length of the data to POLY1305 (octets)
   @param mac       [out] Destination of the authentication tag
   @param maclen    [in/out] Max size and resulting size of authentication tag
   @return CRYPT_OK if successful
 */
 int poly1305_memory(const unsigned char *key, unsigned long keylen, const unsigned char *in, unsigned long inlen, unsigned char *mac, unsigned long *maclen)
 {
   poly1305_state st;
   int err;
   LTC_ARGCHK(key    != NULL);
   LTC_ARGCHK(in     != NULL);
   LTC_ARGCHK(mac    != NULL);
   LTC_ARGCHK(maclen != NULL);
   if ((err = poly1305_init(&st, key, keylen))  != CRYPT_OK) { goto LBL_ERR; }
   if ((err = poly1305_process(&st, in, inlen)) != CRYPT_OK) { goto LBL_ERR; }
   err = poly1305_done(&st, mac, maclen);
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
   zeromem(&st, sizeof(poly1305_state));
 #endif
   return err;
 };
 #endif
--- a/src/mac/poly1305/poly1305_memory_multi.c
+++ b/src/mac/poly1305/poly1305_memory_multi.c
@ -0,0 +1,63 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * Public Domain poly1305 from Andrew Moon
 * https://github.com/floodyberry/poly1305-donna
 */
 #include "tomcrypt.h"
 #include <stdarg.h>
 #ifdef LTC_POLY1305
 /**
   POLY1305 multiple blocks of memory to produce the authentication tag
   @param key       The secret key
   @param keylen    The length of the secret key (octets)
   @param out       [out] Destination of the authentication tag
   @param outlen    [in/out] Max size and resulting size of authentication tag
   @param in        The data to POLY1305
   @param inlen     The length of the data to POLY1305 (octets)
   @param ...       tuples of (data,len) pairs to POLY1305, terminated with a (NULL,x) (x=don't care)
   @return CRYPT_OK if successful
 */
 int poly1305_memory_multi(const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen, const unsigned char *in,  unsigned long inlen, ...)
 {
   poly1305_state st;
   int err;
   va_list args;
   const unsigned char *curptr;
   unsigned long curlen;
   LTC_ARGCHK(key    != NULL);
   LTC_ARGCHK(in     != NULL);
   LTC_ARGCHK(mac    != NULL);
   LTC_ARGCHK(maclen != NULL);
   va_start(args, inlen);
   curptr = in;
   curlen = inlen;
   if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK)          { goto LBL_ERR; }
   for (;;) {
      if ((err = poly1305_process(&st, curptr, curlen)) != CRYPT_OK) { goto LBL_ERR; }
      curptr = va_arg(args, const unsigned char*);
      if (curptr == NULL) break;
      curlen = va_arg(args, unsigned long);
   }
   err = poly1305_done(&st, mac, maclen);
 LBL_ERR:
 #ifdef LTC_CLEAN_STACK
   zeromem(&st, sizeof(poly1305_state));
 #endif
   va_end(args);
   return err;
 };
 #endif
--- a/src/mac/poly1305/poly1305_test.c
+++ b/src/mac/poly1305/poly1305_test.c
@ -0,0 +1,50 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * Public Domain poly1305 from Andrew Moon
 * https://github.com/floodyberry/poly1305-donna
 */
 #include "tomcrypt.h"
 #ifdef LTC_POLY1305
 int poly1305_test(void)
 {
 #ifndef LTC_TEST
   return CRYPT_NOP;
 #else
   /* https://tools.ietf.org/html/rfc7539#section-2.5.2 */
   unsigned char k[]   = { 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b };
   unsigned char tag[] = { 0xA8, 0x06, 0x1D, 0xC1, 0x30, 0x51, 0x36, 0xC6, 0xC2, 0x2B, 0x8B, 0xAF, 0x0C, 0x01, 0x27, 0xA9 };
   char m[] = "Cryptographic Forum Research Group";
   unsigned long len = 16, mlen = strlen(m);
   unsigned char out[1000];
   poly1305_state st;
   /* process piece by piece */
   poly1305_init(&st, k, 32);
   poly1305_process(&st, (unsigned char*)m,      5);
   poly1305_process(&st, (unsigned char*)m + 5,  4);
   poly1305_process(&st, (unsigned char*)m + 9,  3);
   poly1305_process(&st, (unsigned char*)m + 12, 2);
   poly1305_process(&st, (unsigned char*)m + 14, 1);
   poly1305_process(&st, (unsigned char*)m + 15, mlen - 15);
   poly1305_done(&st, out, &len);
   if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV1", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* process in one go */
   poly1305_init(&st, k, 32);
   poly1305_process(&st, (unsigned char*)m, mlen);
   poly1305_done(&st, out, &len);
   if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV2", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   return CRYPT_OK;
 #endif
 };
 #endif
--- a/src/misc/crypt/crypt.c
+++ b/src/misc/crypt/crypt.c
@ -124,6 +124,9 @@ const char *crypt_build_settings =
 #if defined(LTC_CAMELLIA)
   "   Camellia\n"
 #endif
 #if defined(LTC_CHACHA)
   "   ChaCha\n"
 #endif
    "\nHashes built-in:\n"
 #if defined(LTC_SHA3)
@ -230,6 +233,9 @@ const char *crypt_build_settings =
 #if defined(LTC_F9_MODE)
    "   F9\n"
 #endif
 #if defined(LTC_POLY1305)
    "   POLY1305\n"
 #endif
    "\nENC + AUTH modes:\n"
 #if defined(LTC_EAX_MODE)
@ -254,6 +260,9 @@ const char *crypt_build_settings =
 #endif
   "\n"
 #endif
 #if defined(LTC_CHACHA20POLY1305_MODE)
    "   CHACHA20POLY1305\n"
 #endif
    "\nPRNG:\n"
 #if defined(LTC_YARROW)
@ -265,6 +274,9 @@ const char *crypt_build_settings =
 #if defined(LTC_RC4)
    "   RC4\n"
 #endif
 #if defined(LTC_CHACHA20_PRNG)
    "   ChaCha20\n"
 #endif
 #if defined(LTC_FORTUNA)
    "   Fortuna (" NAME_VALUE(LTC_FORTUNA_POOLS) ", " NAME_VALUE(LTC_FORTUNA_WD) ")\n"
 #endif
@ -395,6 +407,9 @@ const char *crypt_build_settings =
 #if defined(LTC_NO_FILE)
    " LTC_NO_FILE "
 #endif
 #if defined(LTC_FILE_READ_BUFSIZE)
    " " NAME_VALUE(LTC_FILE_READ_BUFSIZE) " "
 #endif
 #if defined(LTC_FAST)
    " LTC_FAST "
 #endif
--- a/src/misc/crypt/crypt_sizes.c
+++ b/src/misc/crypt/crypt_sizes.c
@ -223,6 +223,9 @@ static const crypt_size _crypt_sizes[] = {
 #ifdef LTC_FORTUNA
    _SZ_STRINGIFY_S(fortuna_prng),
 #endif
 #ifdef LTC_CHACHA20_PRNG
    _SZ_STRINGIFY_S(chacha20_prng),
 #endif
 #ifdef LTC_RC4
    _SZ_STRINGIFY_S(rc4_prng),
 #endif
--- a/src/prngs/chacha.c
+++ b/src/prngs/chacha.c
@ -0,0 +1,219 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* the idea of re-keying loosely follows the approach used in:
  * http://bxr.su/OpenBSD/lib/libc/crypt/arc4random.c
  */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA20_PRNG
 const struct ltc_prng_descriptor chacha20_prng_desc =
 {
   "chacha",
   sizeof(chacha_state),
   &chacha_prng_start,
   &chacha_prng_add_entropy,
   &chacha_prng_ready,
   &chacha_prng_read,
   &chacha_prng_done,
   &chacha_prng_export,
   &chacha_prng_import,
   &chacha_prng_test
 };
 /**
  Start the PRNG
  @param prng[out] The PRNG state to initialize
  @return CRYPT_OK if successful
 */
 int chacha_prng_start(prng_state *prng)
 {
   LTC_ARGCHK(prng != NULL);
   prng->chacha.ready = 0;
   XMEMSET(&prng->chacha.ent, 0, 40);
   prng->chacha.idx = 0;
   return CRYPT_OK;
 }
 /**
  Add entropy to the PRNG state
  @param in       The data to add
  @param inlen    Length of the data to add
  @param prng     PRNG state to update
  @return CRYPT_OK if successful
 */
 int chacha_prng_add_entropy(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
   unsigned char buf[40];
   unsigned long i;
   int err;
   LTC_ARGCHK(prng != NULL);
   LTC_ARGCHK(in != NULL);
   LTC_ARGCHK(inlen > 0);
   if (prng->chacha.ready) {
      /* chacha_prng_ready() was already called, do "rekey" operation */
      if ((err = chacha_keystream(&prng->chacha.s, buf, 40)) != CRYPT_OK)      return err;
      for(i = 0; i < inlen; i++) buf[i % 40] ^= in[i];
      /* key 32 bytes, 20 rounds */
      if ((err = chacha_setup(&prng->chacha.s, buf, 32, 20)) != CRYPT_OK)      return err;
      /* iv 8 bytes */
      if ((err = chacha_ivctr64(&prng->chacha.s, buf + 32, 8, 0)) != CRYPT_OK) return err;
      /* clear KEY + IV */
      XMEMSET(buf, 0, 40);
   }
   else {
      /* chacha_prng_ready() was not called yet, add entropy to ent buffer */
      while (inlen--) prng->chacha.ent[prng->chacha.idx++ % 40] ^= *in++;
   }
   return CRYPT_OK;
 }
 /**
  Make the PRNG ready to read from
  @param prng   The PRNG to make active
  @return CRYPT_OK if successful
 */
 int chacha_prng_ready(prng_state *prng)
 {
   int err;
   LTC_ARGCHK(prng != NULL);
   /* key 32 bytes, 20 rounds */
   if ((err = chacha_setup(&prng->chacha.s, prng->chacha.ent, 32, 20)) != CRYPT_OK)      return err;
   /* iv 8 bytes */
   if ((err = chacha_ivctr64(&prng->chacha.s, prng->chacha.ent + 32, 8, 0)) != CRYPT_OK) return err;
   XMEMSET(&prng->chacha.ent, 0, 40);
   prng->chacha.ready = 1;
   prng->chacha.idx = 0;
   return CRYPT_OK;
 }
 /**
  Read from the PRNG
  @param out      Destination
  @param outlen   Length of output
  @param prng     The active PRNG to read from
  @return Number of octets read
 */
 unsigned long chacha_prng_read(unsigned char *out, unsigned long outlen, prng_state *prng)
 {
   LTC_ARGCHK(prng != NULL);
   if (chacha_keystream(&prng->chacha.s, out, outlen) != CRYPT_OK) return 0;
   return outlen;
 }
 /**
  Terminate the PRNG
  @param prng   The PRNG to terminate
  @return CRYPT_OK if successful
 */
 int chacha_prng_done(prng_state *prng)
 {
   LTC_ARGCHK(prng != NULL);
   return chacha_done(&prng->chacha.s);
 }
 /**
  Export the PRNG state
  @param out       [out] Destination
  @param outlen    [in/out] Max size and resulting size of the state
  @param prng      The PRNG to export
  @return CRYPT_OK if successful
 */
 int chacha_prng_export(unsigned char *out, unsigned long *outlen, prng_state *prng)
 {
   unsigned long len = sizeof(chacha_state);
   LTC_ARGCHK(outlen != NULL);
   LTC_ARGCHK(out    != NULL);
   LTC_ARGCHK(prng   != NULL);
   if (!prng->chacha.ready) {
      return CRYPT_ERROR;
   }
   if (*outlen < len) {
      *outlen = len;
      return CRYPT_BUFFER_OVERFLOW;
   }
   XMEMCPY(out, &prng->chacha.s, len);
   *outlen = len;
   return CRYPT_OK;
 }
 /**
  Import a PRNG state
  @param in       The PRNG state
  @param inlen    Size of the state
  @param prng     The PRNG to import
  @return CRYPT_OK if successful
 */
 int chacha_prng_import(const unsigned char *in, unsigned long inlen, prng_state *prng)
 {
   unsigned long len = sizeof(chacha_state);
   LTC_ARGCHK(in   != NULL);
   LTC_ARGCHK(prng != NULL);
   if (inlen != len) return CRYPT_INVALID_ARG;
   XMEMCPY(&prng->chacha.s, in, inlen);
   prng->chacha.ready = 1;
   return CRYPT_OK;
 }
 /**
  PRNG self-test
  @return CRYPT_OK if successful, CRYPT_NOP if self-testing has been disabled
 */
 int chacha_prng_test(void)
 {
 #ifndef LTC_TEST
   return CRYPT_NOP;
 #else
   prng_state st;
   unsigned char en[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
                          0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14,
                          0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
                          0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
                          0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32 };
   unsigned char dmp[300];
   unsigned long dmplen = sizeof(dmp);
   unsigned char out[500];
   unsigned char t1[] = { 0x59, 0xb2, 0x26, 0x95, 0x2b, 0x01, 0x8f, 0x05, 0xbe, 0xd8 };
   unsigned char t2[] = { 0x30, 0x34, 0x5c, 0x6e, 0x56, 0x18, 0x8c, 0x46, 0xbe, 0x8a };
   chacha_prng_start(&st);
   chacha_prng_add_entropy(en, sizeof(en), &st); /* add entropy to uninitialized prng */
   chacha_prng_ready(&st);
   chacha_prng_read(out, 10, &st);  /* 10 bytes for testing */
   if (compare_testvector(out, 10, t1, sizeof(t1), "CHACHA-PRNG", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   chacha_prng_read(out, 500, &st);
   chacha_prng_add_entropy(en, sizeof(en), &st); /* add entropy to already initialized prng */
   chacha_prng_read(out, 500, &st);
   chacha_prng_export(dmp, &dmplen, &st);
   chacha_prng_read(out, 500, &st); /* skip 500 bytes */
   chacha_prng_read(out, 10, &st);  /* 10 bytes for testing */
   if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
   chacha_prng_done(&st);
   XMEMSET(&st, 0xFF, sizeof(st)); /* just to be sure */
   chacha_prng_import(dmp, dmplen, &st);
   chacha_prng_read(out, 500, &st); /* skip 500 bytes */
   chacha_prng_read(out, 10, &st);  /* 10 bytes for testing */
   if (compare_testvector(out, 10, t2, sizeof(t2), "CHACHA-PRNG", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
   chacha_prng_done(&st);
   return CRYPT_OK;
 #endif
 }
 #endif
--- a/src/stream/chacha/chacha_crypt.c
+++ b/src/stream/chacha/chacha_crypt.c
@ -0,0 +1,90 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 #define QUARTERROUND(a,b,c,d) \
  x[a] += x[b]; x[d] = ROL(x[d] ^ x[a], 16); \
  x[c] += x[d]; x[b] = ROL(x[b] ^ x[c], 12); \
  x[a] += x[b]; x[d] = ROL(x[d] ^ x[a],  8); \
  x[c] += x[d]; x[b] = ROL(x[b] ^ x[c],  7);
 static void _chacha_block(unsigned char *output, const ulong32 *input, int rounds)
 {
   ulong32 x[16];
   int i;
   XMEMCPY(x, input, sizeof(x));
   for (i = rounds; i > 0; i -= 2) {
      QUARTERROUND(0, 4, 8,12)
      QUARTERROUND(1, 5, 9,13)
      QUARTERROUND(2, 6,10,14)
      QUARTERROUND(3, 7,11,15)
      QUARTERROUND(0, 5,10,15)
      QUARTERROUND(1, 6,11,12)
      QUARTERROUND(2, 7, 8,13)
      QUARTERROUND(3, 4, 9,14)
   }
   for (i = 0; i < 16; ++i) {
     x[i] += input[i];
     STORE32L(x[i], output + 4 * i);
   }
 }
 /**
   Encrypt (or decrypt) bytes of ciphertext (or plaintext) with ChaCha
   @param st      The ChaCha state
   @param in      The plaintext (or ciphertext)
   @param inlen   The length of the input (octets)
   @param out     [out] The ciphertext (or plaintext), length inlen
   @return CRYPT_OK if successful
 */
 int chacha_crypt(chacha_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
 {
   unsigned char buf[64];
   unsigned long i, j;
   if (inlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(st  != NULL);
   LTC_ARGCHK(in  != NULL);
   LTC_ARGCHK(out != NULL);
   if (st->ksleft > 0) {
      j = MIN(st->ksleft, inlen);
      for (i = 0; i < j; ++i, st->ksleft--) out[i] = in[i] ^ st->kstream[64 - st->ksleft];
      inlen -= j;
      if (inlen == 0) return CRYPT_OK;
      out += j;
      in  += j;
   }
   for (;;) {
     _chacha_block(buf, st->input, st->rounds);
     /* increment the counter */
     if (!++st->input[12] && !++st->input[13] && !++st->input[14]) { ++st->input[15]; }
     if (inlen <= 64) {
       for (i = 0; i < inlen; ++i) out[i] = in[i] ^ buf[i];
       st->ksleft = 64 - inlen;
       for (i = inlen; i < 64; ++i) st->kstream[i] = buf[i];
       return CRYPT_OK;
     }
     for (i = 0; i < 64; ++i) out[i] = in[i] ^ buf[i];
     inlen -= 64;
     out += 64;
     in  += 64;
   }
   return CRYPT_OK;
 };
 #endif
--- a/src/stream/chacha/chacha_done.c
+++ b/src/stream/chacha/chacha_done.c
@ -0,0 +1,26 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 /**
  Terminate and clear ChaCha state
  @param st      The ChaCha state
  @return CRYPT_OK on success
 */
 int chacha_done(chacha_state *st)
 {
   LTC_ARGCHK(st != NULL);
   XMEMSET(st, 0, sizeof(chacha_state));
   return CRYPT_OK;
 };
 #endif
--- a/src/stream/chacha/chacha_ivctr32.c
+++ b/src/stream/chacha/chacha_ivctr32.c
@ -0,0 +1,42 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 /**
  Set IV + counter data to the ChaCha state
  @param st      The ChaCha20 state
  @param iv      The IV data to add
  @param inlen   The length of the IV (must be 12)
  @param counter 32bit (unsigned) initial counter value
  @return CRYPT_OK on success
 */
 int chacha_ivctr32(chacha_state *st, const unsigned char *iv, unsigned long ivlen, ulong32 counter)
 {
   LTC_ARGCHK(st != NULL);
   LTC_ARGCHK(iv != NULL);
   /* 96bit IV + 32bit counter */
   LTC_ARGCHK(ivlen == 12);
   st->input[12] = counter;
   LOAD32L(st->input[13], iv + 0);
   LOAD32L(st->input[14], iv + 4);
   LOAD32L(st->input[15], iv + 8);
   st->ksleft = 0;
   return CRYPT_OK;
 };
 #endif
--- a/src/stream/chacha/chacha_ivctr64.c
+++ b/src/stream/chacha/chacha_ivctr64.c
@ -0,0 +1,42 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 /**
  Set IV + counter data to the ChaCha state
  @param st      The ChaCha20 state
  @param iv      The IV data to add
  @param inlen   The length of the IV (must be 8)
  @param counter 64bit (unsigned) initial counter value
  @return CRYPT_OK on success
 */
 int chacha_ivctr64(chacha_state *st, const unsigned char *iv, unsigned long ivlen, ulong64 counter)
 {
   LTC_ARGCHK(st != NULL);
   LTC_ARGCHK(iv != NULL);
   /* 64bit IV + 64bit counter */
   LTC_ARGCHK(ivlen == 8);
   st->input[12] = (ulong32)(counter & 0xFFFFFFFF);
   st->input[13] = (ulong32)(counter >> 32);
   LOAD32L(st->input[14], iv + 0);
   LOAD32L(st->input[15], iv + 4);
   st->ksleft = 0;
   return CRYPT_OK;
 };
 #endif
--- a/src/stream/chacha/chacha_keystream.c
+++ b/src/stream/chacha/chacha_keystream.c
@ -0,0 +1,34 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 /**
  Generate a stream of random bytes via ChaCha
  @param st      The ChaCha20 state
  @param out     [out] The output buffer
  @param outlen  The output length
  @return CRYPT_OK on success
 */
 int chacha_keystream(chacha_state *st, unsigned char *out, unsigned long outlen)
 {
   if (outlen == 0) return CRYPT_OK; /* nothing to do */
   LTC_ARGCHK(out != NULL);
   XMEMSET(out, 0, outlen);
   return chacha_crypt(st, out, outlen, out);
 }
 #endif
--- a/src/stream/chacha/chacha_setup.c
+++ b/src/stream/chacha/chacha_setup.c
@ -0,0 +1,60 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 static const char sigma[16] = "expand 32-byte k";
 static const char tau[16]   = "expand 16-byte k";
 /**
   Initialize an ChaCha context (only the key)
   @param st        [out] The destination of the ChaCha state
   @param key       The secret key
   @param keylen    The length of the secret key (octets)
   @param rounds    Number of rounds (e.g. 20 for ChaCha20)
   @return CRYPT_OK if successful
 */
 int chacha_setup(chacha_state *st, const unsigned char *key, unsigned long keylen, int rounds)
 {
   const char *constants;
   LTC_ARGCHK(st  != NULL);
   LTC_ARGCHK(key != NULL);
   LTC_ARGCHK(keylen == 32 || keylen == 16);
   LOAD32L(st->input[4], key + 0);
   LOAD32L(st->input[5], key + 4);
   LOAD32L(st->input[6], key + 8);
   LOAD32L(st->input[7], key + 12);
   if (keylen == 32) { /* 256bit */
      key += 16;
      constants = sigma;
   } else { /* 128bit */
      constants = tau;
   }
   LOAD32L(st->input[8],  key + 0);
   LOAD32L(st->input[9],  key + 4);
   LOAD32L(st->input[10], key + 8);
   LOAD32L(st->input[11], key + 12);
   LOAD32L(st->input[0],  constants + 0);
   LOAD32L(st->input[1],  constants + 4);
   LOAD32L(st->input[2],  constants + 8);
   LOAD32L(st->input[3],  constants + 12);
   st->rounds  = rounds; /* e.g. 20 for chacha20 */
   return CRYPT_OK;
 };
 #endif
--- a/src/stream/chacha/chacha_test.c
+++ b/src/stream/chacha/chacha_test.c
@ -0,0 +1,66 @@
 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
 *
 * LibTomCrypt is a library that provides various cryptographic
 * algorithms in a highly modular and flexible manner.
 *
 * The library is free for all purposes without any express
 * guarantee it works.
 */
 /* The implementation is based on:
 * chacha-ref.c version 20080118
 * Public domain from D. J. Bernstein
 */
 #include "tomcrypt.h"
 #ifdef LTC_CHACHA
 int chacha_test(void)
 {
 #ifndef LTC_TEST
   return CRYPT_NOP;
 #else
   unsigned long len;
   unsigned char out[1000];
   /* https://tools.ietf.org/html/rfc7539#section-2.4.2 */
   unsigned char k[]  = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
                          0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f };
   unsigned char n[]  = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x00 };
   unsigned char ct[] = { 0x6E, 0x2E, 0x35, 0x9A, 0x25, 0x68, 0xF9, 0x80, 0x41, 0xBA, 0x07, 0x28, 0xDD, 0x0D, 0x69, 0x81,
                          0xE9, 0x7E, 0x7A, 0xEC, 0x1D, 0x43, 0x60, 0xC2, 0x0A, 0x27, 0xAF, 0xCC, 0xFD, 0x9F, 0xAE, 0x0B,
                          0xF9, 0x1B, 0x65, 0xC5, 0x52, 0x47, 0x33, 0xAB, 0x8F, 0x59, 0x3D, 0xAB, 0xCD, 0x62, 0xB3, 0x57,
                          0x16, 0x39, 0xD6, 0x24, 0xE6, 0x51, 0x52, 0xAB, 0x8F, 0x53, 0x0C, 0x35, 0x9F, 0x08, 0x61, 0xD8,
                          0x07, 0xCA, 0x0D, 0xBF, 0x50, 0x0D, 0x6A, 0x61, 0x56, 0xA3, 0x8E, 0x08, 0x8A, 0x22, 0xB6, 0x5E,
                          0x52, 0xBC, 0x51, 0x4D, 0x16, 0xCC, 0xF8, 0x06, 0x81, 0x8C, 0xE9, 0x1A, 0xB7, 0x79, 0x37, 0x36,
                          0x5A, 0xF9, 0x0B, 0xBF, 0x74, 0xA3, 0x5B, 0xE6, 0xB4, 0x0B, 0x8E, 0xED, 0xF2, 0x78, 0x5E, 0x42,
                          0x87, 0x4D };
   char pt[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.";
   chacha_state st;
   len = strlen(pt);
   /* crypt piece by piece */
   chacha_setup(&st, k, sizeof(k), 20);
   chacha_ivctr32(&st, n, sizeof(n), 1);
   chacha_crypt(&st, (unsigned char*)pt,      35,       out);
   chacha_crypt(&st, (unsigned char*)pt + 35, 35,       out + 35);
   chacha_crypt(&st, (unsigned char*)pt + 70,  5,       out + 70);
   chacha_crypt(&st, (unsigned char*)pt + 75,  5,       out + 75);
   chacha_crypt(&st, (unsigned char*)pt + 80, len - 80, out + 80);
   if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV1", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* crypt in one go */
   chacha_setup(&st, k, sizeof(k), 20);
   chacha_ivctr32(&st, n, sizeof(n), 1);
   chacha_crypt(&st, (unsigned char*)pt, len, out);
   if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV2", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   /* crypt in one go - using chacha_ivctr64() */
   chacha_setup(&st, k, sizeof(k), 20);
   chacha_ivctr64(&st, n + 4, sizeof(n) - 4, 1);
   chacha_crypt(&st, (unsigned char*)pt, len, out);
   if (compare_testvector(out, len, ct, sizeof(ct), "CHACHA-TV3", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
   return CRYPT_OK;
 #endif
 }
 #endif
--- a/testprof/cipher_hash_test.c
+++ b/testprof/cipher_hash_test.c
@ -14,6 +14,11 @@ int cipher_hash_test(void)
      DOX(cipher_descriptor[x].test(), cipher_descriptor[x].name);
   }
 #ifdef LTC_CHACHA
   /* ChaCha is a special case (stream cipher) */
   DO(chacha_test());
 #endif
   /* test hashes */
   for (x = 0; hash_descriptor[x].name != NULL; x++) {
      DOX(hash_descriptor[x].test(), hash_descriptor[x].name);
--- a/testprof/mac_test.c
+++ b/testprof/mac_test.c
@ -35,6 +35,12 @@ int mac_test(void)
 #endif
 #ifdef LTC_PELICAN
   DO(pelican_test());
 #endif
 #ifdef LTC_POLY1305
   DO(poly1305_test());
 #endif
 #ifdef LTC_CHACHA20POLY1305_MODE
   DO(chacha20poly1305_test());
 #endif
   return 0;
 }
--- a/testprof/x86_prof.c
+++ b/testprof/x86_prof.c
@ -330,6 +330,9 @@ static void _unregister_all(void)
 #ifdef LTC_RC4
  unregister_prng(&rc4_desc);
 #endif
 #ifdef LTC_CHACHA
  unregister_prng(&chacha20_prng_desc);
 #endif
 #ifdef LTC_SOBER128
  unregister_prng(&sober128_desc);
 #endif
@ -497,6 +500,9 @@ register_prng(&fortuna_desc);
 #ifdef LTC_RC4
 register_prng(&rc4_desc);
 #endif
 #ifdef LTC_CHACHA
 register_prng(&chacha20_prng_desc);
 #endif
 #ifdef LTC_SOBER128
 register_prng(&sober128_desc);
 #endif